CVE-2025-68666
📋 TL;DR
This CVE allows Discourse moderators to view user archives containing private topic/post content, violating confidentiality. It affects Discourse instances with versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The vulnerability enables unauthorized access to sensitive user data by privileged users.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Moderators access and leak sensitive private conversations, causing reputational damage, regulatory violations, and loss of user trust.
Likely Case
Moderators inadvertently or intentionally view private user archives, leading to data privacy breaches and potential internal misuse.
If Mitigated
With proper access controls and patching, only authorized administrators can access archives, maintaining confidentiality.
🎯 Exploit Status
Exploitation requires moderator privileges; no authentication bypass needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to one of the patched versions via your deployment method (e.g., Docker, manual install). 3. Restart the Discourse service. 4. Verify the update.
🔧 Temporary Workarounds
Revoke Moderator Privileges
allTemporarily remove moderation roles from all users to prevent access to archives until patched.
Run Discourse admin commands or use the admin interface to revoke moderator roles.
🧯 If You Can't Patch
- Implement strict access logging for archive views to detect misuse.
- Reduce the number of users with moderator privileges to minimize exposure.
🔍 How to Verify
Check if Vulnerable:
Check your Discourse version via admin panel or command line; if below patched versions, you are vulnerable.Check Version:
docker exec -it discourse cat /app/VERSION # For Docker deployments, or check admin interface.Verify Fix Applied:
After updating, confirm the version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0, and test that moderators cannot access user archives.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to user archive endpoints by moderator accounts.
Network Indicators:
- Increased requests to archive-related API endpoints from internal IPs.
SIEM Query:
source="discourse_logs" AND (url_path="/archives" OR action="view_archive") AND user_role="moderator"