In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert personal messages into public topics even when they lack the necessary permission. This flaw allows a moderator to publish private or sensitive information to all users, violating confidentiality and potentially compromising the platform’s integrity by broadcasting content that should remain restricted. The vulnerability is grounded in a missing authorization check (CWE‑862).

The affected platform is Discourse, an open‑source discussion community software. Attack surfaces include any installation running a pre‑patched release of the product. Versions explicitly mentioned as vulnerable are those older than 3.5.4 and the 2025.x and 2026.1.0 releases listed in the advisory. Installing the latest stable releases fixes the issue.

The CVSS score of 6.5 indicates medium severity, reflecting a moderate impact on confidentiality and integrity without direct denial of service. The EPSS score of less than 1% shows that exploitation is considered unlikely in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an internal moderator account; an attacker with moderator privileges can directly transform a private conversation into a public topic, enabling disclosure of sensitive information. The absence of a public exploit and the low EPSS suggest that current risk is moderate but potentially higher in environments with untrusted moderators. Maintaining updated versions and restricting moderator roles are essential mitigations.