Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data manipulation via forged webhooks
Action: Patch
AI Analysis

Impact

When the site setting patreon_webhook_secret is left blank, Discourse accepts webhook requests signed with an HMAC‑MD5 using an empty key. An attacker can compute a matching signature for any known payload, enabling the creation, modification, or deletion of Patreon pledge data and triggering patron‑to‑group synchronization. The flaw is a missing authentication check and is mapped to CWE‑639.

Affected Systems

The vulnerability affects the Discourse discussion platform on all releases before 2025.12.2, 2026.1.1, and 2026.2.0 that use the Patreon plugin webhook endpoint and have an empty patreon_webhook_secret. These affected versions are addressed by the corresponding patched releases.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% reflects a low current probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker can remotely forge a valid webhook signature by generating an HMAC‑MD5 with an empty key, provided the request body is known or guessable. The remote attacker can then cause unauthorized changes to pledge data and trigger group synchronization.

Generated by OpenCVE AI on April 17, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2025.12.2 or later, or apply a patch that rejects webhook requests when the secret is not configured.
  • Set a strong, non‑empty patreon_webhook_secret site setting to prevent signature forgery if upgrading is not immediately possible.
  • Disable or remove the Patreon plugin webhook endpoint if the integration is not required.

Generated by OpenCVE AI on April 17, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 26 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.
Title Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T16:17:41.410Z

Reserved: 2026-02-10T18:01:31.902Z

Link: CVE-2026-26078

cve-icon Vulnrichment

Updated: 2026-02-27T16:17:36.746Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T16:24:06.997

Modified: 2026-03-02T21:52:09.837

Link: CVE-2026-26078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses