CVE-2025-58055
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-10-23

Assigner: GitHub, Inc.

Description
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-10-23
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58055
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.5.1 (exc)
discourse discourse to 3.6.0 (exc)
discourse discourse 3.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Discourse versions 3.5.0 and below involves the AI suggestion endpoints for topic Title, Category, and Tags. Authenticated users could manipulate the topic_id parameter in API requests to access information about restricted topics they were not authorized to see. The AI model would then disclose information about these restricted topics, effectively leaking data to unauthorized users. This issue is fixed in version 3.5.1.

Impact Analysis

The vulnerability allows authenticated users to access and extract information about restricted topics they should not have access to. This could lead to unauthorized disclosure of sensitive or confidential information within the Discourse platform, potentially compromising privacy and security of the community discussions.

Mitigation Strategies

To mitigate this vulnerability immediately, restrict group access to the AI helper feature by configuring the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. Additionally, upgrade Discourse to version 3.5.1 or later where this issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart