Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Published: 2026-03-31
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The discourse‑subscriptions plugin can leak Stripe API keys across sites in a multisite cluster, exposing sensitive payment credentials to sites within the same cluster. The exposed keys represent a confidentiality breach but do not provide an execution or denial‑of‑service vector. This weakness is a classic information‑disclosure flaw.

Affected Systems

Discourse, the open‑source discussion platform, is affected when running versions 2026.1.0‑2026.1.3 (exclusive), 2026.2.0‑2026.2.2 (exclusive), or 2026.3.0‑2026.3.0 (exclusive) in a multisite deployment. All installations that include the discourse‑subscriptions plugin are vulnerable.

Risk and Exploitability

With a CVSS score of 2 and an EPSS probability of less than 1 %, the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be within the same multisite cluster; an attacker would need access to one site in the cluster to capture the leaked key. The impact is limited to unauthorized exposure of Stripe API keys, posing a confidentiality risk to all sites in the cluster.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse to version 2026.1.3 or newer, which includes the patch for the subscriptions plugin.
  • Ensure the discourse‑subscriptions plugin is updated to the latest stable release that contains the fix.
  • Verify that the multisite configuration does not expose Stripe API keys between sites.
  • If a patch is temporarily unavailable, consider disabling Stripe integration or restricting plugin access to trusted users.
  • Monitor Stripe logs for abnormal activity to detect potential abuse of leaked keys.

Generated by OpenCVE AI on April 10, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Title discourse-subscriptions plugin leaking stripe API key in multisite environment
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:16:18.969Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33073

cve-icon Vulnrichment

Updated: 2026-04-03T16:16:14.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T18:16:51.807

Modified: 2026-04-10T01:51:54.033

Link: CVE-2026-33073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:13Z

Weaknesses