CVE-2025-69289
Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email changeDiscourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the "require_change_email_confirmation" setting.
We have discovered 3,232 live websites that are affected by CVE-2025-69289.
Affected Software
| Product |  Discourse |
| Category | Message Boards |
| Vulnerable Domains | 3,232 live websites (71% of Discourse install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 64 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Jan 28, 2026
- Updated - Jan 28, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-69289 United States | 1,968 websites |
 Germany | 521 websites |
 France | 134 websites |
 Singapore | 76 websites |
 GB | 59 websites |
 China | 45 websites |
 Russia | 44 websites |
 Netherlands | 32 websites |
 Switzerland | 29 websites |
 Canada | 25 websites |
Website Distribution by TLD
Number of websites using CVE-2025-69289| .com | 1,383 websites |
| .org | 576 websites |
| .net | 165 websites |
| .io | 147 websites |
| .de | 86 websites |
| .ru | 35 websites |
| .fr | 34 websites |
| .eu | 29 websites |
| .co | 27 websites |
| .nl | 23 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-69289
Top websites that are affected by CVE-2025-69289. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.com | United States | *,*** | |
| *********.**********.com | United States | *,*** | |
| *****.******.org | Germany | *,*** | |
| *****.******.com | United States | *,*** | |
| *********.***********.org | United States | **,*** | |
| *********.**********.com | United States | **,*** | |
| *********.******.com | Germany | **,*** | |
| *******.******.com | United States | **,*** | |
| *********.*******.com | United States | **,*** | |
| ******************.com | United States | **,*** |
FAQ
CVE-2025-69289 is Incorrect Authorization in Discourse
A total of 3,232 websites have been identified as vulnerable to CVE-2025-69289, based on global website indexing conducted by WebTechSurvey.
The Discourse is affected by the CVE-2025-69289 vulnerability.
Discourse versions up to 2026.1 are vulnerable to CVE-2025-69289.
CVE-2025-69289 is resolved in version 2026.1 of Discourse.