CVE-2025-58055
Last modified
CVE-2025-58055 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. EPSS estimates a 0.23% chance of exploitation in the next 30 days.
Description
Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Discourse | Discourse | < 3.5.1 | — |
| Discourse | Discourse | < 3.6.0 | — |
| Discourse | Discourse | 3.6.0 | Beta1 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-58055?
How severe is CVE-2025-58055?
How do I fix CVE-2025-58055?
Are you affected by CVE-2025-58055?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST