Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-58055

Good to know:

icon
icon

Date: October 1, 2025

Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings.

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2025-58055
https://github.com/discourse/discourse/security/advisories/GHSA-32v2-x274-vfhr
https://www.vicarius.io/vsociety/posts/cve-2025-58055-mitigate-discourse-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2025-58055-detect-discourse-vulnerability
https://github.com/discourse/discourse/commit/28d569cae9b33cd55d647bf41806106e33d975c9
https://www.mend.io/vulnerability-database/CVE-2025-58055

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/discourse/discourse.git - v3.5.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us