CVE-2025-69289 | THREATINT

Description

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.

PUBLISHED Reserved 2025-12-31 | Published 2026-01-28 | Updated 2026-01-28 | Assigner GitHub_M

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 3.5.4

affected

>= 2025.11.0-latest, < 2025.11.2

affected

>= 2025.12.0-latest, < 2025.12.1

affected

>= 2026.1.0-latest, < 2026.1.0

affected

References

github.com/...course/security/advisories/GHSA-p39j-x54c-rwqq

cve.org (CVE-2025-69289)

nvd.nist.gov (CVE-2025-69289)

Download JSON