CVE-2025-68479 HIGH

CVE-2025-68479: Discourse subscriptions are susceptible to takeover

Vendor Discourse

Product discourse

Weakness CWE-862 · Missing authorization

Published January 28, 2026

Last update January 29, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Key dates

02Disclosure timeline

January 28, 2026 CVE published

January 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68479

Related vulnerabilities

Identifiers

CVE CVE-2025-68479

CWE CWE-862

CVSS 7.1 / HIGH

Affected versions

Vendor Discourse

Product discourse

Affected < 3.5.4

Vendor Discourse

Product discourse

Affected >= 2025.11.0-latest, < 2025.11.2

Vendor Discourse

Product discourse

Affected >= 2025.12.0-latest, < 2025.12.1

Vendor Discourse

Product discourse

Affected >= 2026.1.0-latest, < 2026.1.0

CVE-2025-68479: Discourse subscriptions are susceptible to takeover

01Description

02Disclosure timeline

03References

04Related CVE