Critical Vulnerability Information Vulnerability Title Users are able to see their own whispers even after being removed from a group that has been configured to see whispers Severity Level: Moderate CVSS v4 base metrics: 6.3 / 10 Affected Versions Affected Versions: - stable = 3.4.6 - tests-passed >= 3.5.0.beta8-dev Description and Impact The visibility of posts typed as "whisper" is controlled via the site setting. Only users belonging to groups specified in this setting are permitted to view posts typed as "whisper". However, it has been discovered that users can still view their own whispers even after being removed from such groups and thus losing visibility of whisper posts. Mitigation This issue has been patched in the latest stable, beta, and tests-passed versions of Discourse. Bypass Methods None. References None. CVE ID CVE-2025-49845 Weaknesses No CWEs