CVE-2025-69289
MEDIUM WAF: Low
CVSS 5.4
Published: 2026-01-28
CWE-863
Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| discourse | discourse | up to 3.5.4 |
| discourse | discourse | 2025.11.0 - 2025.11.2 |
| discourse | discourse | 2025.12.0 |
| discourse | discourse | 2026.1.0 |
References
- github.com (Third Party Advisory, Mitigation)