CVE-2025-49845

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49845

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49845.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49845

Aliases

BIT-discourse-2025-49845
GHSA-79qw-r73r-69gf

Published

2025-06-25T15:39:01.328Z

Modified

2026-04-10T05:29:04.423969Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Details

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispers_allowed_groups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch can continue to see their own whispers even after losing visibility of posts typed whisper. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49845.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/discourse/discourse

Affected ranges

Type: GIT
Repo: https://github.com/discourse/discourse
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c897f0081ed9a214d374721dd7eb614608a06e94

Affected versions

v0.*

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

v0.9.0

v0.9.1

v0.9.2

v0.9.2.5

v0.9.2.6

v0.9.3

v0.9.4

v0.9.5

v0.9.5.1

v0.9.5.2

v0.9.6

v0.9.6.1

v0.9.6.3

v0.9.6.4

v0.9.7

v0.9.7.1

v0.9.7.2

v0.9.7.3

v0.9.7.4

v0.9.7.5

v0.9.7.6

v0.9.7.7

v0.9.7.8

v0.9.7.9

v0.9.8

v0.9.8.1

v0.9.8.10

v0.9.8.11

v0.9.8.2

v0.9.8.3

v0.9.8.4

v0.9.8.5

v0.9.8.6

v0.9.8.7

v0.9.8.8

v0.9.8.9

v0.9.9.1

v0.9.9.10

v0.9.9.11

v0.9.9.12

v0.9.9.13

v0.9.9.14

v0.9.9.15

v0.9.9.16

v0.9.9.17

v0.9.9.18

v0.9.9.2

v0.9.9.3

v0.9.9.4

v0.9.9.5

v0.9.9.6

v0.9.9.7

v0.9.9.8

v0.9.9.9

v1.*

v1.0.0

v1.1.0.beta2

v1.1.0.beta3

v1.1.0.beta4

v1.1.0.beta5

v1.1.0.beta6

v1.1.0.beta6b

v1.1.0.beta7

v1.1.0.beta8

v1.2.0.beta1

v1.2.0.beta2

v1.2.0.beta3

v1.2.0.beta4

v1.2.0.beta5

v1.2.0.beta6

v1.2.0.beta7

v1.2.0.beta8

v1.2.0.beta9

v1.3.0.beta1

v1.3.0.beta10

v1.3.0.beta11

v1.3.0.beta2

v1.3.0.beta3

v1.3.0.beta4

v1.3.0.beta5

v1.3.0.beta6

v1.3.0.beta9

v1.4.0.beta1

v1.4.0.beta10

v1.4.0.beta11

v1.4.0.beta12

v1.4.0.beta2

v1.4.0.beta3

v1.4.0.beta4

v1.4.0.beta5

v1.4.0.beta6

v1.4.0.beta7

v1.4.0.beta8

v1.4.0.beta9

v1.5.0.beta1

v1.5.0.beta10

v1.5.0.beta11

v1.5.0.beta12

v1.5.0.beta13

v1.5.0.beta13b

v1.5.0.beta14

v1.5.0.beta2

v1.5.0.beta4

v1.5.0.beta5

v1.5.0.beta6

v1.5.0.beta7

v1.5.0.beta8

v1.5.0.beta9

v1.6.0.beta1

v1.6.0.beta10

v1.6.0.beta11

v1.6.0.beta12

v1.6.0.beta2

v1.6.0.beta3

v1.6.0.beta4

v1.6.0.beta5

v1.6.0.beta6

v1.6.0.beta7

v1.6.0.beta8

v1.6.0.beta9

v1.7.0.beta1

v1.7.0.beta10

v1.7.0.beta11

v1.7.0.beta2

v1.7.0.beta3

v1.7.0.beta4

v1.7.0.beta5

v1.7.0.beta6

v1.7.0.beta7

v1.7.0.beta8

v1.7.0.beta9

v1.8.0.beta1

v1.8.0.beta10

v1.8.0.beta11

v1.8.0.beta12

v1.8.0.beta13

v1.8.0.beta2

v1.8.0.beta3

v1.8.0.beta4

v1.8.0.beta5

v1.8.0.beta6

v1.8.0.beta7

v1.8.0.beta8

v1.8.0.beta9

v1.9.0.beta1

v1.9.0.beta10

v1.9.0.beta11

v1.9.0.beta12

v1.9.0.beta13

v1.9.0.beta14

v1.9.0.beta15

v1.9.0.beta16

v1.9.0.beta17

v1.9.0.beta2

v1.9.0.beta3

v1.9.0.beta4

v1.9.0.beta5

v1.9.0.beta6

v1.9.0.beta7

v1.9.0.beta8

v1.9.0.beta9

v2.*

v2.0.0.beta1

v2.0.0.beta10

v2.0.0.beta2

v2.0.0.beta3

v2.0.0.beta4

v2.0.0.beta5

v2.0.0.beta6

v2.0.0.beta7

v2.0.0.beta8

v2.0.0.beta9

v2.1.0.beta1

v2.1.0.beta2

v2.1.0.beta3

v2.1.0.beta4

v2.1.0.beta5

v2.1.0.beta6

v2.2.0.beta1

v2.2.0.beta10

v2.2.0.beta2

v2.2.0.beta3

v2.2.0.beta4

v2.2.0.beta5

v2.2.0.beta6

v2.2.0.beta7

v2.2.0.beta8

v2.2.0.beta9

v2.3.0.beta1

v2.3.0.beta10

v2.3.0.beta11

v2.3.0.beta2

v2.3.0.beta3

v2.3.0.beta4

v2.3.0.beta5

v2.3.0.beta6

v2.3.0.beta7

v2.3.0.beta8

v2.3.0.beta9

v2.4.0.beta1

v2.4.0.beta10

v2.4.0.beta11

v2.4.0.beta2

v2.4.0.beta3

v2.4.0.beta4

v2.4.0.beta5

v2.4.0.beta6

v2.4.0.beta7

v2.4.0.beta8

v2.4.0.beta9

v2.5.0.beta1

v2.5.0.beta2

v2.5.0.beta3

v2.5.0.beta4

v2.5.0.beta5

v2.5.0.beta6

v2.5.0.beta7

v2.6.0.beta1

v2.6.0.beta2

v2.6.0.beta3

v2.6.0.beta4

v2.6.0.beta5

v2.6.0.beta6

v2.7.0.beta1

v2.7.0.beta2

v2.7.0.beta3

v2.7.0.beta4

v2.7.0.beta5

v2.7.0.beta6

v2.7.0.beta7

v2.7.0.beta8

v2.7.0.beta9

v2.8.0.beta1

v2.8.0.beta10

v2.8.0.beta11

v2.8.0.beta2

v2.8.0.beta3

v2.8.0.beta4

v2.8.0.beta5

v2.8.0.beta6

v2.8.0.beta7

v2.8.0.beta8

v2.8.0.beta9

v2.9.0.beta1

v2.9.0.beta10

v2.9.0.beta11

v2.9.0.beta12

v2.9.0.beta13

v2.9.0.beta14

v2.9.0.beta2

v2.9.0.beta3

v2.9.0.beta4

v2.9.0.beta5

v2.9.0.beta6

v2.9.0.beta7

v2.9.0.beta8

v2.9.0.beta9

v3.*

v3.0.0.beta15

v3.0.0.beta16

v3.1.0.beta1

v3.1.0.beta2

v3.1.0.beta3

v3.1.0.beta4

v3.1.0.beta5

v3.1.0.beta6

v3.1.0.beta7

v3.1.0.beta8

v3.2.0.beta1

v3.2.0.beta2

v3.2.0.beta3

v3.2.0.beta4

v3.2.0.beta5

v3.3.0.beta1

v3.3.0.beta2

v3.3.0.beta3

v3.3.0.beta4

v3.3.0.beta5

v3.3.0.beta6

v3.4.0.beta1

v3.4.0.beta2

v3.4.0.beta3

v3.4.0.beta4

v3.5.0.beta1

v3.5.0.beta2

v3.5.0.beta3

v3.5.0.beta4

v3.5.0.beta5

v3.5.0.beta6

v3.5.0.beta7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49845.json"