Cyber Resilience

CVE-2025-68479

High

Published: 28 January 2026

Published
28 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0007 21.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68479 is a high-severity Missing Authorization (CWE-862) vulnerability in Discourse Discourse. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

CVE-2025-68479 is a missing authorization vulnerability (CWE-862) in Discourse, an open source discussion platform. It affects versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, where certain subscription endpoints fail to properly check ownership before allowing changes. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and impacts primarily on confidentiality with lesser effects on integrity.

An authenticated attacker with low privileges, such as a standard registered user, can exploit this vulnerability remotely without user interaction. By targeting the affected subscription endpoints, they can make unauthorized changes to subscriptions owned by other users, potentially exposing sensitive subscription data (high confidentiality impact) or altering subscription details (low integrity impact).

The Discourse security advisory at https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327 confirms the issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available, so administrators should upgrade affected instances promptly.

EU & UK References

Vulnerability details

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known…

more

workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization on public-facing Discourse web endpoints directly enables remote exploitation of the application by authenticated users to access/modify unauthorized resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29072Same product: Discourse Discourse
CVE-2026-33427Same product: Discourse Discourse
CVE-2026-31805Same product: Discourse Discourse
CVE-2026-27934Same product: Discourse Discourse
CVE-2026-23743Same product: Discourse Discourse
CVE-2026-26265Same product: Discourse Discourse
CVE-2025-68662Same product: Discourse Discourse
CVE-2025-23023Same product: Discourse Discourse
CVE-2026-26078Same product: Discourse Discourse
CVE-2024-55948Same product: Discourse Discourse

Affected Assets

discourse
discourse
2025.12.0, 2026.1.0 · ≤ 3.5.4 · 2025.11.0 — 2025.11.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces ownership-based authorization decisions on subscription endpoints before allowing modifications, preventing the unauthorized changes described in the CVE.

prevent

Restricts low-privilege authenticated users from reaching or acting on subscription resources they do not own, limiting exploitability of the missing ownership check.

prevent

Requires explicit access-control decisions (including ownership verification) to be made and enforced for each subscription change request.

References