Primary

Context

Discourse Chat Permission Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Discourse versions through 3.3.2, beta through 3.4.0.beta3, and tests-passed through 3.4.0.beta3, allowing users who disable chat in their preferences to still be reachable in certain situations. This issue has been addressed in Discourse versions 3.3.3, 3.4.0.beta4, and 3.4.0.beta4 in the tests-passed branch.

Impact

Exploitation of this vulnerability could lead to a bypass of chat permissions, allowing users to be contacted via chat even after disabling the feature in their preferences.

Remediation

Users are advised to upgrade to Discourse versions 3.3.3, 3.4.0.beta4, or 3.4.0.beta4 in the tests-passed branch. For those unable to upgrade, the chat plugin can be disabled within site settings.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

3.3

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Chat Permission Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating