CVE-2025-68479
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 3.5.4 (exc) |
| discourse | discourse | From 2025.11.0 (inc) to 2025.11.2 (exc) |
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2026.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Discourse affects certain subscription endpoints that do not properly verify ownership before allowing changes. This means that users with limited privileges might be able to modify subscription data they do not own. The issue is fixed in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to make changes to subscription data they do not own, potentially leading to unauthorized access or modification of sensitive information. This could compromise data integrity and confidentiality within the Discourse platform.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 as these versions contain patches for the vulnerability. No known workarounds are available.