What is the CVSS score of EUVD-2025-19108?

EUVD-2025-19108 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Discourse are affected by EUVD-2025-19108?

Discourse versions before 3.4.6 contain a logic flaw that allows users to retain visibility of their own whispered (private) posts even after losing group membership that should restrict access.. A patch is available.

How to fix or mitigate EUVD-2025-19108?

Within 24 hours: Identify all Discourse instances in your environment and document current versions. Within 7 days: Upgrade all affected Discourse installations to version 3.4.6 (stable) or 3.5.0.beta8-dev (tests-passed) or later. Within 30 days: Conduct a post-upgrade audit of group membership changes in the past 90 days to identify users who may have retained inappropriate access to whispered posts, and document findings for compliance records.

Discourse EUVD-2025-19108

| CVE-2025-49845 HIGH

Information Exposure (CWE-200)

2025-06-25 security-advisories@github.com

Information Disclosure Authentication Bypass Discourse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:36 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.5.0.beta8-dev,3.4.6

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19108

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 16:15 nvd

HIGH 7.5

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispers_allowed_groups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch can continue to see their own whispers even after losing visibility of posts typed whisper. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

AnalysisAI

Discourse versions prior to 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed) contain an information disclosure vulnerability where users retain visibility of their own whisper-typed posts even after losing group membership that should restrict access to whispers. This is a logic flaw in the whisper visibility enforcement mechanism (CWE-200: Information Exposure) affecting unauthenticated network access with high confidentiality impact. No public exploitation has been reported, but the issue is easily discoverable through normal platform usage.

Technical ContextAI

Discourse is an open-source discussion platform that implements a whisper post type—a feature allowing posts visible only to specified groups via the whispers_allowed_groups site setting. The vulnerability stems from insufficient visibility control logic (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) where the authorization check fails to properly enforce group membership restrictions on historical whisper posts owned by the user. The root cause appears to be a gap in re-evaluating post visibility permissions when group membership changes, allowing users to retain access to previously authored whispers despite no longer belonging to authorized groups. The affected products are Discourse instances (CPE pattern: cpe:2.3:a:discourse:discourse:*) running versions 3.4.x prior to 3.4.6 and 3.5.0.beta versions prior to beta8-dev.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

EUVD-2025-19108 vulnerability details – vuln.today

Back

Discourse EUVD-2025-19108

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

More from same product – last 7 days

Share

External POC / Exploit Code