CVE-2025-64528
Unknown Unknown - Not Provided
User Enumeration Vulnerability in Discourse Allows Full Name Disclosure

Publication date: 2025-12-30

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when `enable_names` is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-30
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2025-12-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64528
EUVD
EUVD-2025-205817
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse 2025.12.0
discourse discourse 2025.11.0
discourse discourse to 3.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-202 When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Discourse allows an attacker who knows part of a username to discover the full username and the user's full name via the user interface or API, even when the 'enable_names' setting is disabled. This issue affects versions prior to 3.5.3, 2025.11.1, and 2025.12.0, which contain the fix.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of user information, specifically full usernames and full names, which may compromise user privacy and potentially facilitate further targeted attacks or social engineering.

Mitigation Strategies

Upgrade Discourse to version 3.5.3, 2025.11.1, or 2025.12.0 or later, as these versions contain the fix for this vulnerability.

Compliance Impact

This vulnerability allows unauthorized disclosure of user real names even when the privacy setting to disable name exposure (`enable_names`) is active. Such unintended exposure of personal information can lead to privacy violations, potentially impacting compliance with data protection regulations like GDPR and HIPAA that require safeguarding personally identifiable information. By allowing attackers to enumerate user identities without privileges or user interaction, the vulnerability undermines privacy controls and could result in non-compliance with these standards. The fix restores proper enforcement of the privacy setting, thereby improving compliance with privacy requirements. [3]

Detection Guidance

This vulnerability can be detected by testing the user search functionality in Discourse to see if user real names are exposed when the `enable_names` setting is disabled. Specifically, you can perform search queries via the UI or API using partial usernames and check if the full name is returned despite `enable_names` being off. To detect this on your system, you can try searching for known partial usernames and observe if the results include real names. Since the issue is in the search query respecting the `enable_names` setting, you can also verify the Discourse version and confirm if it is prior to the fixed versions (3.5.3, 2025.11.1, 2025.12.0). There are no explicit commands provided in the resources, but a practical approach is to use curl or similar HTTP clients to query the Discourse user search API endpoint with partial usernames and inspect the response for real names when `enable_names` is disabled. [3, 1, 2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart