CVE-2025-69289 - Discourse has insecure default configuration that allows non-admin moderators to...

CVE ID : CVE-2025-69289 Published : Jan. 28, 2026, 8:16 p.m. | 44 minutes ago Description : Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the