CVE-2025-46813

Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510	Patch
https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b	Patch
https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:discourse:discourse:::::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta1:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta2:::beta:::*
	cpe:2.3:a:discourse:discourse:3.5.0:beta3:::beta:::*

History

26 Sep 2025, 12:54

Type	Values Removed	Values Added
References	~~() https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510 -~~	() https://github.com/discourse/discourse/commit/10df7fdee060d44accdee7679d66d778d1136510 - Patch
References	~~() https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b -~~	() https://github.com/discourse/discourse/commit/82d84af6b0efbd9fa2aeec3e91ce7be1a768511b - Patch
References	~~() https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9 -~~	() https://github.com/discourse/discourse/security/advisories/GHSA-v3h7-c287-pfg9 - Third Party Advisory
First Time		Discourse Discourse discourse
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:discourse:discourse:3.5.0:beta3:::beta:::* cpe:2.3:a:discourse:discourse:3.5.0:beta2:::beta:::* cpe:2.3:a:discourse:discourse:3.5.0:beta1:::beta:::* cpe:2.3:a:discourse:discourse:::::beta:::*
Summary		(es) Discourse es una plataforma comunitaria de código abierto. Una vulnerabilidad de fuga de datos afecta a los sitios implementados entre los commits 10df7fdee060d44accdee7679d66d778d1136510 y 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. En los sitios que requieren inicio de sesión, la fuga de datos provocó que parte del contenido de la página principal del sitio fuera visible para usuarios no autenticados. Solo los sitios que requieren inicio de sesión implementados durante este periodo se vieron afectados, aproximadamente entre el 30 de abril de 2025 al mediodía EDT y el 2 de mayo de 2025 al mediodía EDT. Los sitios de la rama estable no se vieron afectados. El contenido privado de la página principal de una instancia podría ser visible para usuarios no autenticados en sitios que requieren inicio de sesión. Las versiones de 3.5.0.beta4 posteriores a la confirmación 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b no son vulnerables al problema. No hay workarounds disponibles. Los sitios deben actualizar a una versión de Discourse no vulnerable.

05 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-05 20:15

Updated : 2025-09-26 12:54

NVD link : CVE-2025-46813

Mitre link : CVE-2025-46813

CVE.ORG link : CVE-2025-46813

JSON object : View

Products Affected

discourse

discourse

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

5.8 /10