CVE-2025-49845
Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers
Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
Reserved 2025-06-11 | Published 2025-06-25 | Updated 2025-06-25 | Assigner GitHub_MCWE-200: Exposure of Sensitive Information to an Unauthorized Actor
github.com/...course/security/advisories/GHSA-79qw-r73r-69gf
Support options
