Discourse 3.4.x/3.5.0 < beta8: Whisper visibility bypass
CVE-2025-49845 Published on June 25, 2025
Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers
Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-49845 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-49845
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version < 3.4.6 is affected.
- Version >= 3.5.0.beta0-dev, < 3.5.0.beta8-dev is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.