Skip to content
AI Security Wire

Published

- 4 min read

By

CVE-2026-27740: Discourse AI Triage Delivers Stored XSS to Admins

CVE-2026-27740 Discourse stored XSS prompt injection LLM triage admin takeover forum security AI integration
img of CVE-2026-27740: Discourse AI Triage Delivers Stored XSS to Admins

Discourse, the widely deployed open-source forum platform, has patched a vulnerability that turns its own AI content moderation feature against the administrators who rely on it. CVE-2026-27740 allows a regular user to craft a post that prompt-injects the platform’s LLM triage system, causing it to return attacker-controlled JavaScript, which is then executed in the browser session of any moderator or admin who reviews the flagged content. The patch is available now.

The Attack in Detail

Discourse’s AI triage feature is designed to help understaffed moderation teams. When a post is flagged for review, the AI summarises the content and adds a triage note to the staff Review Queue. The intent is to help mods prioritise without reading every flagged item in full. That workflow is exactly what CVE-2026-27740 abuses.

The attack starts with a malicious user posting content that contains a prompt injection payload alongside whatever surface-level text makes the post look flag-worthy. The injected prompt instructs the AI to output JavaScript in its triage summary. When the Discourse software builds the Review Queue view, it passes the AI-generated summary through htmlSafe(), a Rails helper that explicitly marks content as safe for rendering without HTML escaping. The browser sees the JavaScript and runs it.

From there the attacker has a full cross-site scripting execution context inside the session of a staff member. They can exfiltrate session tokens, create new admin accounts, modify forum settings, or use the admin API for further access. The Review Queue is only visible to staff, which adds a layer of irony: the attack is entirely invisible to regular users, and it specifically targets the people with the most access.

Researchers at PointGuard AI published the technical analysis, and the vulnerability is catalogued in the NVD under CVE-2026-27740.

Why This Matters Beyond Discourse

Forum software is mid-tier infrastructure. It doesn’t show up on most enterprise threat models. But large Discourse instances serve developer communities, enterprise internal knowledge bases, government and academic institutions, and product feedback platforms. A staff account compromise on a developer forum can expose pre-release software details, internal issue trackers, private categories, and direct messages between staff members.

More broadly, this vulnerability illustrates a class of problem that will keep appearing as AI features are bolted onto existing software. The AI triage integration introduced a new trust boundary: the system now treats LLM output as content that needs to be rendered rather than as user input that needs to be escaped. Engineers who built the original flagging system probably never considered that a flagged post could cause the review UI to execute code. The AI feature retroactively created that possibility.

The fix is precise but instructive. Discourse resolved the issue by replacing htmlSafe() with ERB::Util.html_escape() on all LLM-generated output in the review interface. The principle: treat AI-generated text the same way you treat user input, because the AI may have been instructed by user input to produce exactly what an attacker wants.

Affected Versions and Patch

The vulnerability affects Discourse installations running the AI triage feature. Patched versions:

  • discourse-latest branch: 2026.3.0-latest.1 or later
  • Stable branch: 2026.2.1 or later
  • Legacy stable: 2026.1.2 or later

Self-hosted instances need to update manually. Discourse-hosted customers on managed plans received the patch automatically.

Detection and Mitigation

If you cannot immediately update: disable the AI content triage feature in your Discourse admin settings until the patch is applied. This removes the vulnerable rendering path entirely.

For post-patch detection, review admin audit logs for unexpected staff account actions, configuration changes, or API key creation in the period your instance was running a vulnerable version. The attack executes silently from the moderator’s browser, so server-side logs will show legitimate-looking staff requests.

Patch applied: check the SentinelOne vulnerability database entry for CVE-2026-27740 for current indicator status as the disclosure matures.

References

Frequently Asked Questions

What is the attack chain in CVE-2026-27740?
A malicious user posts content that prompt-injects the Discourse AI triage LLM, causing it to return malicious JavaScript in its triage output. That output is rendered by the forum software using htmlSafe() in the Review Queue visible only to staff. When a moderator or admin opens the flagged item, the script executes in their authenticated browser session, giving the attacker full control over the staff account.
Does this require any special access or permissions to exploit?
No. The attack requires nothing more than the ability to post content on the Discourse forum. Any registered user on an instance with the AI triage feature enabled can trigger the chain. The privileged execution happens on the moderator side when they review the flagged post.
How do I know if my Discourse instance is vulnerable?
Any Discourse instance running the AI triage feature on versions before 2026.3.0-latest.1 or before the respective stable backports (2026.2.1 and 2026.1.2) is vulnerable. Update to the patched release and confirm that all LLM-generated output in admin views is now sanitized via ERB::Util.html_escape rather than passed through htmlSafe().