CVE-2025-68666
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-28

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-30
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68666
EUVD
EUVD-2025-206423
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.5.4 (exc)
discourse discourse From 2025.11.0 (inc) to 2025.11.2 (exc)
discourse discourse 2025.12.0
discourse discourse 2026.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows users with moderation privileges to view user archives that they should not have access to. As a result, private topic and post content made by users is leaked through these archives, causing a breach of confidentiality.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of private user content to moderators, which breaches user confidentiality and privacy. This could damage trust in the platform, expose sensitive information, and potentially lead to further misuse of the leaked data.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, a site administrator can temporarily revoke the moderation role from all moderators until the Discourse instance is upgraded to a patched version (3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0).


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability leads to a breach of confidentiality by exposing private topic and post content of users to moderators who should not have access. Such unauthorized disclosure of private user data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart