Information Disclosure Vulnerability in Discourse by Discourse
CVE-2025-49845

6.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 25 June 2025

What is CVE-2025-49845?

Discourse, the popular open-source discussion platform, has an information disclosure vulnerability affecting users in specific versions. The platform's 'whisper' feature allows for selective visibility, controlled by the 'whispers_allowed_groups' setting. However, users on versions prior to 3.4.6 (stable branch) and prior to 3.5.0.beta8-dev (tests-passed branch) can still access their own whispers despite losing permission to view them. This undermines the integrity of the visibility controls designed to protect sensitive discussions. Users are advised to update to versions containing the fix as no workarounds are available.

Affected Version(s)

discourse < 3.4.6 < 3.4.6

discourse >= 3.5.0.beta0-dev, < 3.5.0.beta8-dev < 3.5.0.beta0-dev, 3.5.0.beta8-dev

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Jun 11, 2025