The discourse-subscriptions plugin for the open‑source Discourse platform unintentionally exposes Stripe API keys across all sites in a multisite cluster. When a site accesses its Stripe credentials, the plugin does not isolate them to that site, allowing an attacker to view the credentials for every other site in the same cluster. This leakage can reveal sensitive billing information and potentially enable unauthorized billing actions, representing a classic information‑disclosure weakness identified as CWE‑200.

Discourse community instances running the discourse‑subscriptions plugin from any of the following release ranges are affected: 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0 prior to 2026.3.0. The issue was fixed in releases 2026.1.3, 2026.2.2, and 2026.3.0; applying those updates removes the cross‑site credential leak.

The CVSS score of 2 reflects a low severity rating, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploits. The likely attack vector is a user with legitimate access to one site within the multisite cluster who can then read the Stripe keys of other sites; it is also inferred that a compromised cluster network could provide broader access. Because the affected data are billing credentials, the confidentiality impact is significant even if the overall risk rating remains low to moderate. Prompt remediation is advised to eliminate the potential for cross‑site credential exposure.