CVE-2025-64528
Unknown Unknown - Not Provided

User Enumeration Vulnerability in Discourse Allows Full Name Disclosure

Vulnerability report for CVE-2025-64528, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-30

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-30
Last Modified
2026-02-20
Generated
2026-07-07
AI Q&A
2025-12-30
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse 2025.12.0
discourse discourse 2025.11.0
discourse discourse to 3.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-202 When trying to keep information confidential, an attacker can often infer some of the information by using statistics.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Discourse allows an attacker who knows part of a username to discover the full username and the user's full name via the user interface or API, even when the 'enable_names' setting is disabled. This issue affects versions prior to 3.5.3, 2025.11.1, and 2025.12.0, which contain the fix.

Compliance Impact

This vulnerability allows unauthorized disclosure of user real names even when the privacy setting to disable name exposure (`enable_names`) is active. Such unintended exposure of personal information can lead to privacy violations, potentially impacting compliance with data protection regulations like GDPR and HIPAA that require safeguarding personally identifiable information. By allowing attackers to enumerate user identities without privileges or user interaction, the vulnerability undermines privacy controls and could result in non-compliance with these standards. The fix restores proper enforcement of the privacy setting, thereby improving compliance with privacy requirements. [3]

Detection Guidance

This vulnerability can be detected by testing the user search functionality in Discourse to see if user real names are exposed when the `enable_names` setting is disabled. Specifically, you can perform search queries via the UI or API using partial usernames and check if the full name is returned despite `enable_names` being off. To detect this on your system, you can try searching for known partial usernames and observe if the results include real names. Since the issue is in the search query respecting the `enable_names` setting, you can also verify the Discourse version and confirm if it is prior to the fixed versions (3.5.3, 2025.11.1, 2025.12.0). There are no explicit commands provided in the resources, but a practical approach is to use curl or similar HTTP clients to query the Discourse user search API endpoint with partial usernames and inspect the response for real names when `enable_names` is disabled. [3, 1, 2, 4]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of user information, specifically full usernames and full names, which may compromise user privacy and potentially facilitate further targeted attacks or social engineering.

Mitigation Strategies

Upgrade Discourse to version 3.5.3, 2025.11.1, or 2025.12.0 or later, as these versions contain the fix for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart