Vulnerability Details CVE-2025-46813
Discourse is an open-source community platform. A data leak vulnerability affects sites deployed between commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b. On login-required sites, the leak meant that some content on the site's homepage could be visible to unauthenticated users. Only login-required sites that got deployed during this timeframe are affected, roughly between April 30 2025 noon EDT and May 2 2025, noon EDT. Sites on the stable branch are unaffected. Private content on an instance's homepage could be visible to unauthenticated users on login-required sites. Versions of 3.5.0.beta4 after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b are not vulnerable to the issue. No workarounds are available. Sites must upgrade to a non-vulnerable version of Discourse.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.3%
CVSS Severity
CVSS v3 Score 5.8
References
Products affected by CVE-2025-46813
-
cpe:2.3:a:discourse:discourse:1.1.0
-
cpe:2.3:a:discourse:discourse:1.2.0
-
cpe:2.3:a:discourse:discourse:1.3.0
-
cpe:2.3:a:discourse:discourse:1.4.0
-
cpe:2.3:a:discourse:discourse:1.5.0
-
cpe:2.3:a:discourse:discourse:1.6.0
-
cpe:2.3:a:discourse:discourse:1.7.0
-
cpe:2.3:a:discourse:discourse:1.8.0
-
cpe:2.3:a:discourse:discourse:1.9.0
-
cpe:2.3:a:discourse:discourse:2.0.0
-
cpe:2.3:a:discourse:discourse:2.1.0
-
cpe:2.3:a:discourse:discourse:2.2.0
-
cpe:2.3:a:discourse:discourse:2.3.0
-
cpe:2.3:a:discourse:discourse:2.4.0
-
cpe:2.3:a:discourse:discourse:2.5.0
-
cpe:2.3:a:discourse:discourse:2.6.0
-
cpe:2.3:a:discourse:discourse:2.7.0
-
cpe:2.3:a:discourse:discourse:2.8.0
-
cpe:2.3:a:discourse:discourse:2.9.0
-
cpe:2.3:a:discourse:discourse:3.0.0
-
cpe:2.3:a:discourse:discourse:3.1.0
-
cpe:2.3:a:discourse:discourse:3.2.0
-
cpe:2.3:a:discourse:discourse:3.3.0
-
cpe:2.3:a:discourse:discourse:3.4.0
-
cpe:2.3:a:discourse:discourse:3.5.0