CVE-2025-49845

Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Description

Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available.

INFO

Published Date :

2025-06-25T15:39:01.328Z

Last Modified :

2025-06-26T19:44:55.771Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-49845 vulnerability.

Vendors	Products
Discourse	Discourse

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49845.

URL	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-79qw-r73r-69gf

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact