CVE-2025-68479
Published: 28 January 2026
Summary
CVE-2025-68479 is a high-severity Missing Authorization (CWE-862) vulnerability in Discourse Discourse. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on public-facing Discourse web endpoints directly enables remote exploitation of the application by authenticated users to access/modify unauthorized resources.
NVD Description
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known…
more
workarounds are available.
Deeper analysisAI
CVE-2025-68479 is a missing authorization vulnerability (CWE-862) in Discourse, an open source discussion platform. It affects versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, where certain subscription endpoints fail to properly check ownership before allowing changes. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating network accessibility, low attack complexity, and impacts primarily on confidentiality with lesser effects on integrity.
An authenticated attacker with low privileges, such as a standard registered user, can exploit this vulnerability remotely without user interaction. By targeting the affected subscription endpoints, they can make unauthorized changes to subscriptions owned by other users, potentially exposing sensitive subscription data (high confidentiality impact) or altering subscription details (low integrity impact).
The Discourse security advisory at https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327 confirms the issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available, so administrators should upgrade affected instances promptly.
Details
- CWE(s)