Authorization bypass through user-controlled key in Discourse - CVE-2025-58055
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the AI suggestion endpoints for topic title, category, and tags when handling API requests with a modified topic_id value. A remote user can send a specially crafted request to disclose sensitive information.
The issue affects access to information about restricted topics through AI-generated responses.