CVE-2025-69218 HIGH

CVE-2025-69218: Discourse moderators can access admin-only reports exposing private upload URLs

Vendor Discourse

Product discourse

Weakness CWE-863 · Incorrect authorization

Published January 28, 2026

Last update January 28, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied.

Key dates

02Disclosure timeline

January 28, 2026 CVE published

January 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-69218

Related vulnerabilities

Identifiers

CVE CVE-2025-69218

CWE CWE-863

CVSS 7.1 / HIGH

Affected versions

Vendor Discourse

Product discourse

Affected < 3.5.4

Vendor Discourse

Product discourse

Affected >= 2025.11.0-latest, < 2025.11.2

Vendor Discourse

Product discourse

Affected >= 2025.12.0-latest, < 2025.12.1

Vendor Discourse

Product discourse

Affected >= 2026.1.0-latest, < 2026.1.0

CVE-2025-69218: Discourse moderators can access admin-only reports exposing private upload URLs

01Description

02Disclosure timeline

03References

04Related CVE