PT-2026-5195 · Discourse · Discourse
Published
2026-01-28
·
Updated
2026-02-02
·
CVE-2025-69289
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 3.5.4
Discourse versions prior to 2025.11.2
Discourse versions prior to 2025.12.1
Discourse versions prior to 2026.1.0
Description
Discourse is an open source discussion platform. A privilege escalation issue exists in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. This allows a non-admin moderator to bypass email-change restrictions, potentially leading to account takeover of non-staff accounts.
Recommendations
Update to Discourse version 3.5.4 or later.
Update to Discourse version 2025.11.2 or later.
Update to Discourse version 2025.12.1 or later.
Update to Discourse version 2026.1.0 or later.
As a workaround, ensure moderators are trusted.
As a workaround, enable the "require change email confirmation" setting.
Exploit
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse