Metrics
Affected Vendors & Products
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Thu, 02 Oct 2025 09:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Discourse
Discourse discourse |
|
Vendors & Products |
Discourse
Discourse discourse |
Wed, 01 Oct 2025 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Wed, 01 Oct 2025 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Discourse is an open-source community discussion platform. In versions 3.5.0 and below, the Discourse AI suggestion endpoints for topic “Title”, “Category”, and “Tags” allowed authenticated users to extract information about topics that they weren’t authorized to access. By modifying the “topic_id” value in API requests to the AI suggestion endpoints, users could target specific restricted topics. The AI model’s responses then disclosed information that the authenticated user couldn’t normally access. This issue is fixed in version 3.5.1. To workaround this issue, users can restrict group access to the AI helper feature through the "composer_ai_helper_allowed_groups" and "post_ai_helper_allowed_groups" site settings. | |
Title | Discourse AI Suggestions Contain Insecure Direct Object Reference | |
Weaknesses | CWE-284 CWE-639 |
|
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-10-01T19:24:12.826Z
Reserved: 2025-08-22T14:30:32.221Z
Link: CVE-2025-58055

Updated: 2025-10-01T18:56:24.229Z

Status : Received
Published: 2025-10-01T19:15:36.317
Modified: 2025-10-01T19:15:36.317
Link: CVE-2025-58055

No data.

Updated: 2025-10-02T08:38:21Z