Volerion logoVolerion
Volerion logoVolerion

Discourse Direct Message User Limit Bypass Vulnerability

Vulnerability

A vulnerability in Discourse prior to stable version 3.4.3 and beta version 3.5.0.beta3 allows users to bypass the direct message (DM) user limit. This could potentially enable the creation of a DM that includes every user from a site. The issue arises because the platform did not properly enforce user limits when adding participants to a DM channel, failing to account for users already included in the conversation.

Impact

Exploitation of this vulnerability could lead to the unauthorized inclusion of all users from a site in a direct message, effectively bypassing the intended user limit for DMs.

Reproduction

To reproduce this vulnerability, create a direct message channel and attempt to add users while exceeding the maximum allowed limit. The channel can be filled to capacity, but the vulnerability allows for additional users to be added by bypassing the limit enforcement.

Remediation

Users can update to Discourse stable version 3.4.3 or beta version 3.5.0.beta3, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
0.6
exploitability
4.0
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.