User Information Disclosure in Discourse Discussion Platform
CVE-2025-64528

6.3MEDIUM

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 30 December 2025

🔔 Create Discourse Vulnerability Alert

What is CVE-2025-64528?

A vulnerability exists in the Discourse discussion platform that allows an attacker who has knowledge of part of a username to retrieve the user's full name through either the user interface or API, regardless of the 'enable_names' setting being disabled. This flaw affects versions prior to 3.5.3, 2025.11.1, and 2025.12.0. Users are encouraged to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

discourse < 3.5.3 < 3.5.3

discourse >= 2025.11.0-latest, < 2025.11.1 < 2025.11.0-latest, 2025.11.1

discourse >= 2025.12.0-latest, < 2025.12.0 < 2025.12.0-latest, 2025.12.0

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

https://github.com/discourse/discourse/commit/1cb45b8b287...

x_refsource_MISC

https://github.com/discourse/discourse/commit/6192f556296...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Dec 30, 2025
Vulnerability Reserved
Nov 5, 2025

.

CVE-2025-64528 : User Information Disclosure in Discourse Discussion Platform