CVE-2025-68659

Discourse has DoS vulnerability in username change endpoint

CVSS 4.3 MEDIUMEPSS 0.2%CWE-770

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected products

discourse · discourse

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p