CVE-2025-68933

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0

Description Discourse is an open source discussion platform. Non-admin moderators with the moderators change post ownership setting enabled can change ownership of posts in private messages and restricted categories they cannot access, and then export their data to view the content. This is due to broken access control. The patch adds visibility checks for both the topic and posts before allowing ownership transfer.

Recommendations Disable the moderators change post ownership site setting to prevent non-admin moderators from using the post ownership transfer feature. Update to Discourse version 3.5.4 or later. Update to Discourse version 2025.11.2 or later. Update to Discourse version 2025.12.1 or later. Update to Discourse version 2026.1.0 or later.