CVE-2025-68479

MEDIUM5.3EPSS 0.07%

Discourse subscriptions are susceptible to takeover

Published: 2/2/2026Modified: 2/2/2026

Also known as:GHSA-6gjr-5897-m327BIT-discourse-2025-68479

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Affected packages (1)

Bitnami/discoursefrom 0, < 3.5.4, >= 2025.11.0, < 2025.11.2, >= 2025.12.0, < 2025.12.1, >= 2026.1.0, < 2026.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (2)

WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-68479