Login Sign Up

CVE-2025-69289

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

A privilege escalation vulnerability in Discourse allows non-admin moderators to bypass email-change restrictions, potentially enabling account takeover of non-staff users. This affects Discourse instances running vulnerable versions where moderators have malicious intent or compromised credentials. The vulnerability is mitigated by patching or implementing workarounds.

💻 Affected Systems

Products:
  • Discourse
Versions: All versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with non-admin moderators; default Discourse configurations include moderator roles.

📦 What is this software?

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

Discourse by Discourse

View all CVEs affecting Discourse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious or compromised moderator takes over any non-staff user account, leading to data theft, impersonation, or further privilege escalation within the platform.

🟠

Likely Case

Targeted account takeover of specific users by malicious moderators, potentially compromising sensitive discussions or user data.

🟢

If Mitigated

Minimal impact with proper patching or workarounds; trusted moderators and email confirmation requirements prevent exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated moderator access; no public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0

Vendor Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq

Restart Required: Yes

Instructions:

1. Backup your Discourse instance. 2. Update to one of the patched versions using your deployment method (e.g., Docker, manual update). 3. Restart the Discourse service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Enable email change confirmation

all

Enforces email confirmation for email changes, preventing unauthorized modifications.

docker exec -it discourse rails runner "SiteSetting.require_change_email_confirmation = true"

🧯 If You Can't Patch

  • Restrict moderator privileges to trusted personnel only.
  • Monitor logs for unauthorized email change attempts and review moderator activities.

🔍 How to Verify

Check if Vulnerable:

Check Discourse version via admin panel or run: docker exec -it discourse cat /usr/src/app/VERSION

Check Version:

docker exec -it discourse cat /usr/src/app/VERSION

Verify Fix Applied:

Confirm version is 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0; verify require_change_email_confirmation setting is enabled if using workaround.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email change requests from moderator accounts
  • Failed email confirmation attempts

Network Indicators:

  • Increased API calls to user email update endpoints

SIEM Query:

source="discourse" AND (event="email_change" OR event="user_update") AND user_role="moderator"

📊 Metadata

CVE ID: CVE-2025-69289
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-863
EPSS Score: 0.03% exploit probability (8.2th percentile)
Published: January 28, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69289, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)