CVE-2025-58055

Name of the Vulnerable Software and Affected Versions Discourse versions 3.5.0 and below

Description Discourse, an open-source community discussion platform, had an issue where authenticated users could access information about topics they were not authorized to view. This occurred through the AI suggestion endpoints for topic “Title”, “Category”, and “Tags”. By modifying the topic id value in API requests to these endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user shouldn’t have access to. The affected API endpoints are used for AI suggestions related to topics.

Recommendations Update to version 3.5.1 or later. Restrict group access to the AI helper feature through the "composer ai helper allowed groups" and "post ai helper allowed groups" site settings.