CVE-2025-68660

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. An endpoint allows any authenticated user to bypass the ai discover persona access controls and gain ongoing direct message (DM) access to personas. These personas may be linked to staff-only categories, Retrieval-Augmented Generation (RAG) document sets, or automated tooling, potentially leading to unauthorized data disclosure. The controller accepts an arbitrary user id, enabling an attacker to impersonate other accounts and initiate unwanted AI conversations on their behalf, potentially generating confusing or abusive private message traffic.

Recommendations Update Discourse to version 3.5.4 or later. Update Discourse to version 2025.11.2 or later. Update Discourse to version 2025.12.1 or later. Update Discourse to version 2026.1.0 or later.