CVE-2025-68479 | THREATINT

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

PUBLISHED Reserved 2025-12-18 | Published 2026-01-28 | Updated 2026-01-29 | Assigner GitHub_M

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-862: Missing Authorization

Product status

< 3.5.4

affected

>= 2025.11.0-latest, < 2025.11.2

affected

>= 2025.12.0-latest, < 2025.12.1

affected

>= 2026.1.0-latest, < 2026.1.0

affected

References

github.com/...course/security/advisories/GHSA-6gjr-5897-m327

cve.org (CVE-2025-68479)

nvd.nist.gov (CVE-2025-68479)

Download JSON