Primary

Context

Discourse Privilege Escalation Vulnerability Allowing Email Change Bypass

Vulnerability

Patched

A privilege escalation vulnerability has been identified in Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. This vulnerability allows non-admin moderators to bypass restrictions on email changes, potentially leading to the takeover of non-staff accounts.

Impact

Exploitation of this vulnerability could result in unauthorized email changes, allowing non-admin moderators to take over non-staff accounts.

Remediation

Users can upgrade to Discourse versions 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0. As an alternative, the 'require_change_email_confirmation' setting can be enabled.

Added: Jan 28, 2026, 8:21 PM

Updated: Jan 28, 2026, 8:21 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.3

exploitability

2.4

remediation

8.3

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.3

exploitability

2.4

remediation

8.3

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Privilege Escalation Vulnerability Allowing Email Change Bypass

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating