CVE-2025-49845 Overview
CVE-2025-49845 is an information disclosure vulnerability in Discourse, an open-source discussion platform. The flaw resides in how Discourse enforces visibility of posts typed as whisper. The whispers_allowed_groups site setting restricts whisper visibility to users in approved groups. However, users who lose membership in those groups retain visibility of their own previously authored whisper posts. This breaks the expected access control model after group membership changes. The issue affects versions prior to 3.4.6 on the stable branch and prior to 3.5.0.beta8-dev on the tests-passed branch [CWE-200].
Critical Impact
Users removed from whisper-allowed groups can still view their own whisper posts, leading to unintended disclosure of moderator-restricted content.
Affected Products
- Discourse stable branch versions prior to 3.4.6
- Discourse tests-passed branch versions prior to 3.5.0.beta8-dev
- Self-hosted and managed Discourse deployments using whisper functionality
Discovery Timeline
- 2025-06-25 - CVE-2025-49845 published to NVD
- 2025-08-25 - Last updated in NVD database
Technical Details for CVE-2025-49845
Vulnerability Analysis
Discourse uses the whisper post type to allow staff and authorized group members to leave private notes on topics. Visibility of these posts is gated by the whispers_allowed_groups site setting. Only members of the configured groups can view whisper content.
The vulnerability stems from an authorization check gap. When a user's group membership changes such that they no longer satisfy whispers_allowed_groups, the platform correctly hides whispers authored by other users. However, the visibility filter does not apply to whispers the user previously authored. The user continues to read their own historical whisper posts despite no longer holding the required permission.
This is an information disclosure issue categorized under [CWE-200]. Exploitation requires no special tooling. A user whose group membership has been revoked simply navigates to topics where they previously posted whispers. The data they see may include moderator deliberations or internal commentary that the operator intended to restrict.
Root Cause
The root cause is an incomplete authorization filter in the post visibility logic. The filter scopes whisper visibility based on group membership but contains an ownership-based exception that returns whispers authored by the requesting user regardless of current group status.
Attack Vector
The attack vector is network-based and requires an authenticated user account. The attacker must have previously authored whisper posts while a member of an allowed group, then later been removed from that group. No technical exploitation code is required to access the disclosed content.
No public proof-of-concept code has been released for this issue. See the GitHub Security Advisory GHSA-79qw-r73r-69gf for vendor details.
Detection Methods for CVE-2025-49845
Indicators of Compromise
- Access log entries showing users viewing whisper posts after their removal from groups defined in whispers_allowed_groups
- Audit log records of group membership changes followed by topic views containing whisper content
- Unexpected user-reported sightings of moderator-only commentary
Detection Strategies
- Correlate group membership change events with subsequent post-view events for whisper-typed posts
- Query the Discourse database for users who authored whisper posts and currently lack membership in any group listed in whispers_allowed_groups
- Review application audit trails for whisper post access requests from non-staff accounts
Monitoring Recommendations
- Enable verbose access logging on Discourse forum endpoints that render topic content
- Track changes to the whispers_allowed_groups site setting and to membership of those groups
- Periodically audit accounts that have authored whisper posts to verify they retain appropriate authorization
How to Mitigate CVE-2025-49845
Immediate Actions Required
- Upgrade Discourse stable deployments to version 3.4.6 or later
- Upgrade Discourse tests-passed deployments to version 3.5.0.beta8-dev or later
- Review historical whisper content for sensitivity and rotate or redact information accessible to users removed from allowed groups
- Audit the current membership of all groups configured in whispers_allowed_groups
Patch Information
Discourse maintainers patched this vulnerability in versions 3.4.6 (stable) and 3.5.0.beta8-dev (tests-passed). The patched code corrects the visibility filter so that ownership of a whisper post does not bypass the group membership requirement. Refer to the Discourse GitHub Security Advisory for the full advisory.
Workarounds
- No vendor-supplied workarounds are available; upgrading is the only supported remediation
- As an interim risk reduction step, restrict whisper authoring to a minimal set of trusted staff accounts whose group membership is stable
- Consider disabling whisper functionality by clearing whispers_allowed_groups until the upgrade is applied
# Upgrade a self-hosted Discourse instance to the patched stable release
cd /var/discourse
git pull
./launcher rebuild app
# Verify the running version is 3.4.6 or later
./launcher logs app | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
