CVE-2025-68666
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-68666, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-28

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-28
Last Modified
2026-01-30
Generated
2026-07-06
AI Q&A
2026-01-29
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.5.4 (exc)
discourse discourse From 2025.11.0 (inc) to 2025.11.2 (exc)
discourse discourse 2025.12.0
discourse discourse 2026.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows users with moderation privileges to view user archives that they should not have access to. As a result, private topic and post content made by users is leaked through these archives, causing a breach of confidentiality.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of private user content to moderators, which breaches user confidentiality and privacy. This could damage trust in the platform, expose sensitive information, and potentially lead to further misuse of the leaked data.

Mitigation Strategies

To mitigate this vulnerability immediately, a site administrator can temporarily revoke the moderation role from all moderators until the Discourse instance is upgraded to a patched version (3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0).

Compliance Impact

This vulnerability leads to a breach of confidentiality by exposing private topic and post content of users to moderators who should not have access. Such unauthorized disclosure of private user data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart