Login Sign Up

CVE-2025-68479

7.1 HIGH
Authentication Bypass

📋 TL;DR

This CVE describes an authorization bypass vulnerability in Discourse discussion platform where subscription endpoints lack proper ownership verification before allowing modifications. Attackers could manipulate other users' subscriptions without permission. All Discourse instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Discourse
Versions: All versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0
Operating Systems: All platforms running Discourse
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Discourse installations are vulnerable if running affected versions.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify any user's subscription settings, potentially causing denial of service, privacy violations, or enabling further attacks through subscription manipulation.

🟠

Likely Case

Unauthorized users modifying other users' subscription preferences, leading to notification spam, missed important updates, or minor privacy violations.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to authenticated users within the same security zone.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but minimal technical skill to manipulate API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327

Restart Required: Yes

Instructions:

1. Backup your Discourse instance. 2. Update to one of the patched versions using your deployment method (Docker, manual, etc.). 3. Restart the Discourse service. 4. Verify the update was successful.

🧯 If You Can't Patch

  • Implement strict network access controls to limit Discourse API access to trusted users only.
  • Monitor subscription-related API calls for unauthorized modifications and implement rate limiting.

🔍 How to Verify

Check if Vulnerable:

Check Discourse version via admin panel or run: docker exec -it discourse cat /usr/src/discourse/VERSION

Check Version:

docker exec -it discourse cat /usr/src/discourse/VERSION

Verify Fix Applied:

Confirm version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual subscription modification patterns
  • API calls to subscription endpoints from unexpected users

Network Indicators:

  • Unusual volume of POST/PUT requests to /subscription endpoints

SIEM Query:

source="discourse" AND (uri_path="/subscription" OR uri_path="/subscriptions") AND http_method IN ("POST", "PUT", "DELETE")

📊 Metadata

CVE ID: CVE-2025-68479
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-862
EPSS Score: 0.03% exploit probability (9.3th percentile)
Published: January 28, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68479, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)