CVE-2025-68933 in Discourse
Summary
by MITRE • 01/28/2026
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2026
CVE-2025-68933 represents a critical broken access control vulnerability within the Discourse open source discussion platform that undermines the security model governing post ownership transfer permissions. This vulnerability specifically affects versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, where non-administrative moderators with the `moderators_change_post_ownership` setting enabled can exploit a privilege escalation flaw to manipulate post ownership in restricted environments. The technical flaw stems from insufficient authorization checks that fail to validate whether moderators possess proper access rights to the target topics and posts before permitting ownership transfer operations. This vulnerability maps directly to CWE-285, which addresses improper authorization in software systems, and aligns with ATT&CK technique T1078.004 for valid accounts and privilege escalation.
The operational impact of this vulnerability is severe as it enables malicious or compromised moderators to bypass content access controls and gain unauthorized visibility into private messages and restricted category discussions. When a moderator transfers ownership of a post to themselves, they can subsequently export the data and access content they would normally be restricted from viewing, effectively creating a backdoor for information disclosure. This flaw particularly affects organizations relying on Discourse for sensitive communications where private messaging and restricted categories serve as security boundaries. The vulnerability demonstrates how seemingly minor permission settings can create significant security risks when combined with insufficient access control validation mechanisms.
The security patch implemented in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 addresses this issue by introducing comprehensive visibility checks that validate both topic and post access permissions before allowing ownership transfer operations. This remediation follows the principle of least privilege by ensuring that moderators can only transfer ownership of posts they are authorized to access, preventing unauthorized data exfiltration. The patch effectively closes the gap identified in the vulnerability by implementing proper authorization checks that align with security best practices. Organizations should immediately upgrade to the patched versions to eliminate this access control weakness, as the workaround of disabling the `moderators_change_post_ownership` setting only prevents the specific exploit rather than addressing the underlying architectural flaw. The vulnerability highlights the importance of implementing robust access control validation in collaborative platforms where users may possess elevated permissions within specific contexts but should not be able to circumvent content restrictions through privilege escalation techniques.