CVE-2025-68933

MEDIUM

6.9

Descricao

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.

Detalhes CVE

Pontuacao CVSS v3.16.9

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioREQUIRED

Publicado1/28/2026

Ultima modificacao1/30/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

discourse:discourse

Fraquezas (CWE)

CWE-863

Referencias

https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.