BIT-discourse-2025-68933

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2025-68933.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-discourse-2025-68933

Aliases

CVE-2025-68933
GHSA-hpxv-mw7v-fqg2

Published

2026-02-02T08:42:21.302Z

Modified

2026-02-02T09:26:11.727199Z

Summary

Discourse non-admin moderators can exfiltrate private content via post ownership transfer

Details

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the moderators_change_post_ownership setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the moderators_change_post_ownership site setting to prevent non-admin moderators from using the post ownership transfer feature.

Database specific

{
    "cpes": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / discourse

Package

Name: discourse
Purl: pkg:bitnami/discourse

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.5.4

Introduced

2025.11.0

Fixed

2025.11.2

Introduced

2025.12.0

Fixed

2025.12.1

Introduced

2026.1.0

Fixed

2026.1.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/discourse/BIT-discourse-2025-68933.json"