Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.
References
| Link | Resource |
|---|---|
| https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq | Third Party Advisory Mitigation |
Configurations
Configuration 1 (hide)
|
History
30 Jan 2026, 20:47
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| First Time |
Discourse
Discourse discourse |
|
| References | () https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq - Third Party Advisory, Mitigation | |
| CPE | cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:* |
28 Jan 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-28 20:16
Updated : 2026-01-30 20:47
NVD link : CVE-2025-69289
Mitre link : CVE-2025-69289
CVE.ORG link : CVE-2025-69289
JSON object : View
Products Affected
discourse
- discourse
CWE
CWE-863
Incorrect Authorization