Description
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/discourse/discourse/security/advisories/GHSA-hv49-93h5-4wcv
Patch x_refsource_misc
https://github.com/discourse/discourse/commit/20bf65099bb861a141bc10e8a4eab65329d91802
Scores
CVSS v3
9.8
EPSS
0.0044
EPSS Percentile
34.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-384
Status
published
Products (3)
discourse/discourse
3.5.0 beta1 (7 CPE variants)
discourse/discourse
< 3.4.6
discourse/discourse
< 3.5.0
Published
Jul 29, 2025
Tracked Since
Feb 18, 2026