CVE-2025-69218
📋 TL;DR
This CVE allows moderators in Discourse to access the 'top_uploads' admin report, which should be restricted to administrators only. The report reveals direct URLs to all uploaded files, potentially exposing sensitive content like user data exports and admin backups. All Discourse instances with untrusted moderators or insufficient access controls are affected.
💻 Affected Systems
- Discourse
📦 What is this software?
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
Discourse by Discourse
⚠️ Risk & Real-World Impact
Worst Case
Moderators access and exfiltrate sensitive user data exports, admin backups, and private attachments, leading to data breaches, privacy violations, and regulatory compliance issues.
Likely Case
Moderators inadvertently or intentionally view sensitive files they shouldn't have access to, potentially exposing confidential information and violating data protection policies.
If Mitigated
With trusted moderators and proper access controls, the risk is minimal as moderators already have significant privileges and are unlikely to misuse the access.
🎯 Exploit Status
Exploitation requires moderator privileges. Attackers with moderator access can easily navigate to the admin report interface to view sensitive file URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0
Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w
Restart Required: Yes
Instructions:
1. Backup your Discourse instance. 2. Update to Discourse version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 using your deployment method (e.g., Docker, manual update). 3. Restart the Discourse application. 4. Verify the update by checking the version in admin settings.
🔧 Temporary Workarounds
Limit Moderator Privileges
allRestrict moderator access to only trusted users until patching is complete. Review and potentially reduce moderator permissions for untrusted individuals.
🧯 If You Can't Patch
- Review and audit all moderator accounts to ensure they are trusted individuals with minimal necessary access.
- Monitor access logs for any unauthorized attempts to access admin reports or sensitive file URLs.
🔍 How to Verify
Check if Vulnerable:
Check your Discourse version in the admin interface. If it's prior to 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0, you are vulnerable.Check Version:
In Discourse admin panel, navigate to 'About' section or run `RAILS_ENV=production bundle exec rails runner 'puts Discourse::VERSION::STRING'` on the server.Verify Fix Applied:
After updating, verify the version in admin settings matches one of the patched versions. Test with a moderator account that the 'top_uploads' report is no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Log entries showing moderator access to '/admin/reports/top_uploads' or similar admin report paths.
- Unusual file access patterns from moderator accounts to sensitive upload URLs.
Network Indicators:
- HTTP requests to admin report endpoints from non-admin user agents.
- Increased traffic to file upload URLs from moderator IP addresses.
SIEM Query:
source="discourse_logs" AND (path="/admin/reports/top_uploads" OR path CONTAINS "/admin/reports/") AND user_role="moderator"