Primary

Context

Discourse Whispers Visibility Vulnerability

Vulnerability

Patched

A vulnerability in Discourse allows users to see their own 'whisper' posts even after losing the group privileges required for visibility. This issue affects Discourse versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch. The problem arises because the 'whispers_allowed_groups' site setting, which controls visibility, is not properly enforced for users who have been removed from allowed groups.

Impact

This vulnerability could lead to unintended disclosure of private 'whisper' posts, allowing users to view content that should be restricted based on group membership.

Remediation

Users can update to Discourse versions 3.4.6 or 3.5.0.beta8-dev or later to address this vulnerability.

Added: Jun 25, 2025, 4:23 PM

Updated: Jun 25, 2025, 4:23 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

0.6

exploitability

4.3

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Whispers Visibility Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating