PT-2026-5186 · Discourse · Discourse
Published
2026-01-28
·
Updated
2026-02-02
·
CVE-2025-68666
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.5.4
Discourse versions prior to 2025.11.2
Discourse versions prior to 2025.12.1
Discourse versions prior to 2026.1.0
Description
Discourse is an open source discussion platform. Users archives are viewable by users with moderation privileges, even though moderators should not have access to the archives. This leads to a breach of confidentiality as private topic/post content made by users is leaked through the archives.
Recommendations
Upgrade to Discourse version 3.5.4 or later.
Upgrade to Discourse version 2025.11.2 or later.
Upgrade to Discourse version 2025.12.1 or later.
Upgrade to Discourse version 2026.1.0 or later.
As a temporary workaround, a site admin can revoke the moderation role from all moderators until the Discourse instance has been upgraded to a patched version.
Exploit
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse