CVE-2025-68479

Source
https://cve.org/CVERecord?id=CVE-2025-68479
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68479.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68479
Aliases
Published
2026-01-28T18:34:00.486Z
Modified
2026-07-15T02:16:45.275309605Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Discourse subscriptions are susceptible to takeover
Details

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68479.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "3.5.4"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/discourse/discourse

Affected ranges

Type
GIT
Repo
https://github.com/discourse/discourse
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:*",
        "cpe:2.3:a:discourse:discourse:2025.12.0:*:*:*:stable:*:*:*",
        "cpe:2.3:a:discourse:discourse:2026.1.0:*:*:*:stable:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "2025.11.0"
        },
        {
            "fixed": "2025.11.2"
        },
        {
            "introduced": "2025.12.0"
        },
        {
            "last_affected": "2025.12.0"
        },
        {
            "introduced": "2026.1.0"
        },
        {
            "last_affected": "2026.1.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

2025.*
2025.12.0
2026.*
2026.1.0
v2025.*
v2025.11.0
v2025.11.1
v2025.12.0-latest
v2026.*
v2026.1.0-latest

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68479.json"