CVE-2025-69289
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 3.5.4 (exc) |
| discourse | discourse | From 2025.11.0 (inc) to 2025.11.2 (exc) |
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2026.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, ensure that moderators are trusted users or enable the "require_change_email_confirmation" setting. Additionally, update Discourse to one of the patched versions: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0.
Can you explain this vulnerability to me?
This vulnerability in Discourse allows a non-admin moderator to bypass email-change restrictions, which can lead to the takeover of non-staff user accounts. It is a privilege escalation issue present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The problem is fixed in these versions, and as a workaround, moderators should be trusted or the "require_change_email_confirmation" setting should be enabled.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a non-admin moderator to escalate their privileges and take over non-staff user accounts by bypassing email-change restrictions. This could lead to unauthorized access to user accounts and potential misuse of those accounts.