CVE-2025-68933
📋 TL;DR
This CVE allows non-admin moderators with post ownership transfer permissions to change ownership of posts in private messages and restricted categories they cannot access, then export the data to view sensitive content. It affects Discourse sites that have enabled the 'moderators_change_post_ownership' setting. The vulnerability represents a broken access control issue that could lead to unauthorized data exposure.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Moderators could access and exfiltrate sensitive private messages and restricted category content, potentially exposing confidential discussions, personal data, or proprietary information.
Likely Case
Moderators inadvertently or intentionally accessing private content they shouldn't have permission to view, violating privacy expectations and potentially exposing sensitive discussions.
If Mitigated
With proper access controls and patching, moderators can only transfer post ownership within their authorized visibility scope, maintaining proper data segregation.
🎯 Exploit Status
Exploitation requires authenticated moderator access with specific permissions enabled. The vulnerability is straightforward to exploit once the conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2
Restart Required: Yes
Instructions:
1. Update Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later. 2. Restart the Discourse application. 3. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Disable moderator post ownership transfer
allDisable the 'moderators_change_post_ownership' site setting to prevent non-admin moderators from using the post ownership transfer feature.
rails console
SiteSetting.moderators_change_post_ownership = false
🧯 If You Can't Patch
- Disable the 'moderators_change_post_ownership' site setting immediately
- Review and restrict moderator permissions to only essential functions
🔍 How to Verify
Check if Vulnerable:
Check if Discourse version is prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 AND 'moderators_change_post_ownership' setting is enabled.Check Version:
Check Discourse admin dashboard or run 'rails runner "puts Discourse::VERSION::STRING"'Verify Fix Applied:
Verify Discourse version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 or later, and test that moderators cannot transfer post ownership for content they cannot access.📡 Detection & Monitoring
Log Indicators:
- Unusual post ownership transfer activity by moderators
- Multiple data export requests from moderator accounts
- Access to private messages or restricted categories by unauthorized moderators
Network Indicators:
- Increased data export traffic from moderator accounts
- Unusual API calls to post ownership transfer endpoints
SIEM Query:
source="discourse" AND (event="post_ownership_transfer" OR event="data_export") AND user_role="moderator" AND resource_category IN ("private_messages", "restricted_categories")