Primary

Context

Discourse Group Direct Message Preference Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Discourse versions prior to 3.3.4 on the stable branch and prior to 3.4.0.beta5 on the beta branch. In certain situations, users could be added to group direct messages even after disabling direct messaging in their preferences. This issue has been patched in versions 3.3.4 and 3.4.0.beta5. As a workaround, users can disable chat in their preferences to avoid being added to new group chats.

Impact

This vulnerability allows for the bypass of user preferences regarding direct messaging, potentially leading to unwanted group chat additions.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

3.3

remediation

8.3

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Group Direct Message Preference Bypass Vulnerability

Vulnerability

Impact

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating