CVE-2025-46813 is a medium-severity vulnerability affecting Discourse, an open-source community platform widely used for online forums and discussions. The vulnerability is categorized under CWE-200, which involves the exposure of sensitive information to unauthorized actors. Specifically, this flaw impacts Discourse sites that require login and were deployed between the commits 10df7fdee060d44accdee7679d66d778d1136510 and 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b, roughly spanning from April 30, 2025, noon EDT to May 2, 2025, noon EDT. The issue causes some private content on the homepage of these login-required sites to be visible to unauthenticated users, thereby leaking sensitive information that should be restricted to logged-in users only. The vulnerability does not affect sites running the stable branch or versions after commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b (post 3.5.0.beta4). There are no available workarounds, and remediation requires upgrading to a non-vulnerable version of Discourse. The CVSS v3.1 score is 5.8 (medium), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, has low attack complexity, and results in a confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild. The scope is considered changed because the vulnerability allows unauthorized access to data that normally requires authentication, potentially exposing sensitive community or organizational information displayed on the homepage.

For European organizations using Discourse as their community or internal collaboration platform, this vulnerability poses a risk of unauthorized disclosure of sensitive or private information. Since the flaw exposes private homepage content to unauthenticated users, confidential discussions, internal announcements, or user data intended only for authenticated members could be leaked. This could lead to reputational damage, loss of trust among community members or employees, and potential compliance issues under GDPR if personal data is exposed. The impact is particularly significant for organizations that rely on Discourse for sensitive or regulated communications, such as governmental bodies, financial institutions, healthcare providers, or large enterprises with European operations. Although the vulnerability does not allow data modification or service disruption, the confidentiality breach alone can have serious consequences, including targeted phishing or social engineering attacks leveraging leaked information. The limited timeframe and specific affected versions reduce the overall exposure, but organizations that deployed affected versions during the vulnerable window remain at risk until patched.

European organizations should immediately identify any Discourse instances deployed between April 30 and May 2, 2025, that require login and verify their version against the vulnerable commit range. Since no workarounds exist, the primary mitigation is to upgrade affected Discourse installations to a version beyond commit 82d84af6b0efbd9fa2aeec3e91ce7be1a768511b or the stable branch that is not vulnerable. Organizations should also audit the exposed homepage content to assess what sensitive information may have been leaked during the vulnerability window and notify affected users if personal data exposure is suspected. Implementing strict access controls and reviewing homepage content visibility settings can reduce risk in the future. Additionally, monitoring for any suspicious access patterns or data scraping attempts on Discourse sites is recommended. For critical or regulated environments, consider temporarily restricting public access to the homepage or enabling additional authentication layers until the patch is applied. Maintaining an inventory of open-source components and timely patch management processes will help prevent similar issues.