CVE-2025-68933
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-28

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-01-30
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68933
EUVD
EUVD-2025-206428
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse to 3.5.4 (exc)
discourse discourse From 2025.11.0 (inc) to 2025.11.2 (exc)
discourse discourse 2025.12.0
discourse discourse 2026.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Discourse allows non-admin moderators who have the 'moderators_change_post_ownership' setting enabled to change the ownership of posts in private messages and restricted categories that they normally cannot access. By doing so, they can then export the data of those posts and view their content. This is a broken access control issue that affects sites granting moderators permission to transfer post ownership. The vulnerability is fixed by adding visibility checks for both the topic and posts before allowing ownership transfer.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to private or restricted content by non-admin moderators. They can change post ownership to gain access to posts they should not see, potentially exposing sensitive or confidential information. This can compromise the privacy and security of discussions within private messages and restricted categories.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, disable the 'moderators_change_post_ownership' site setting to prevent non-admin moderators from using the post ownership transfer feature. Additionally, upgrade Discourse to one of the patched versions: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0, which include visibility checks preventing unauthorized ownership transfers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart