Discourse 3.4.x/3.5.0 < beta8: Whisper visibility bypass
CVE-2025-49845 Published on June 25, 2025
Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2025-49845 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2025-49845
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-49845 are published in Discourse:
Affected Versions
discourse:- Version < 3.4.6 is affected.
- Version >= 3.5.0.beta0-dev, < 3.5.0.beta8-dev is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.