CVE-2025-68660 Overview
CVE-2025-68660 is an authorization bypass vulnerability affecting Discourse, an open source discussion platform. The vulnerability exists in an endpoint that allows any authenticated user to bypass the ai_discover_persona access controls, gaining unauthorized direct message (DM) access to AI personas. These personas may be configured with access to staff-only categories, RAG (Retrieval-Augmented Generation) document sets, or automated tooling, potentially exposing sensitive organizational data.
Additionally, because the vulnerable controller accepts an arbitrary user_id parameter, attackers can impersonate other user accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive private message traffic.
Critical Impact
Authenticated attackers can bypass AI persona access controls to access staff-only content and impersonate other users in AI-driven conversations.
Affected Products
- Discourse versions prior to 3.5.4
- Discourse versions prior to 2025.11.2
- Discourse versions prior to 2025.12.1
- Discourse versions prior to 2026.1.0
Discovery Timeline
- 2026-01-28 - CVE CVE-2025-68660 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-68660
Vulnerability Analysis
This vulnerability is classified as CWE-863: Incorrect Authorization. The flaw resides in a controller endpoint responsible for managing AI persona interactions within the Discourse platform. The endpoint fails to properly enforce access controls defined by the ai_discover_persona permission system, allowing authenticated users to interact with AI personas they should not have access to.
The vulnerability is particularly concerning because AI personas in Discourse can be configured with elevated privileges, including access to staff-only forum categories and RAG document sets containing potentially sensitive organizational knowledge. When an unauthorized user bypasses these controls, they can extract information from these restricted data sources through AI-mediated conversations.
Root Cause
The root cause is improper authorization validation in the AI persona discovery controller. The endpoint does not adequately verify that the requesting user has the necessary permissions to interact with a given AI persona before establishing a DM conversation. Furthermore, the controller accepts a user_id parameter without proper validation, enabling user impersonation attacks.
Attack Vector
The attack is network-accessible and requires only basic authentication to the Discourse platform. An attacker can exploit this vulnerability through the following mechanism:
- An authenticated user identifies AI personas configured on the Discourse instance
- The attacker sends requests to the vulnerable endpoint, bypassing ai_discover_persona access controls
- A DM conversation is established with AI personas that may have access to restricted content
- By manipulating the user_id parameter, the attacker can also trigger AI conversations that appear to originate from other users
The vulnerability allows attackers to query AI personas connected to staff-only categories or RAG document repositories, effectively extracting information through indirect access. The user impersonation capability also enables abuse scenarios where targeted users receive unsolicited or inappropriate AI-generated messages.
Detection Methods for CVE-2025-68660
Indicators of Compromise
- Unusual volume of DM conversations initiated with AI personas from non-privileged accounts
- API requests to AI persona endpoints containing user_id parameters that don't match the authenticated session
- Access logs showing authenticated users interacting with AI personas configured for staff-only access
- Sudden increase in AI-generated PM traffic, particularly involving impersonated users
Detection Strategies
- Monitor authentication and authorization logs for failed permission checks followed by successful AI persona interactions
- Implement alerting on API calls that include mismatched user_id parameters versus authenticated session identities
- Review AI persona conversation logs for access patterns from users without appropriate persona permissions
- Track anomalous message volumes in AI persona DM channels
Monitoring Recommendations
- Enable verbose logging for AI persona controller endpoints
- Configure alerts for authorization bypass patterns in web application firewall (WAF) logs
- Implement user behavior analytics to detect unusual AI persona interaction patterns
- Audit AI persona configurations to identify which personas have access to sensitive data sources
How to Mitigate CVE-2025-68660
Immediate Actions Required
- Upgrade Discourse to version 3.5.4, 2025.11.2, 2025.12.1, or 2026.1.0 immediately
- Audit AI persona configurations and review which personas have access to sensitive categories or RAG documents
- Review logs for any evidence of exploitation or unauthorized AI persona access
- Consider temporarily restricting AI persona functionality if immediate patching is not possible
Patch Information
Discourse has released security patches addressing this vulnerability. Administrators should update to one of the following fixed versions:
- Version 3.5.4 for the stable branch
- Version 2025.11.2 for the 2025.11.x release series
- Version 2025.12.1 for the 2025.12.x release series
- Version 2026.1.0 for the latest release
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-mrvm-rprq-jqqh.
Workarounds
- No known workarounds are available for this vulnerability
- The only effective mitigation is upgrading to a patched version
- As a temporary measure, consider restricting access to the Discourse instance to trusted users only
- Disabling AI persona features entirely may reduce exposure but is not an official workaround
# Upgrade Discourse to the latest patched version
cd /var/discourse
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
