CVE-2025-69289

Medium CVSS: 5.1

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.

Vendor

Discourse

Product

Discourse

CWE

CWE-863

Yayın Tarihi

2026-01-28 20:16:13

Güncelleme

2026-01-30 20:47:35

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-863 Discourse MEDIUM Discourse 2026

Referanslar

https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq

Benzer Kayıtlar

Medium

CVE-2026-32113

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to be…

Medium

CVE-2026-33425

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenti…

Low

CVE-2026-33426

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users with…

Low

CVE-2026-33427

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthe…

Medium

CVE-2026-33428

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staf…

Medium

CVE-2026-33424

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacke…