Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Published: 2026-05-19
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Discourse has a subscription access bypass in the discourse‑subscriptions plugin that allows unauthenticated or non‑paying users to join groups that are gated by a paid subscription. The primary impact is unauthorized access to premium discussion content, exposing potentially sensitive or proprietary information to users who have not completed payment. This is a classic Missing Authorization weakness (CWE‑862).

Affected Systems

All installations of Discourse running the discourse‑subscriptions plugin with versions older than 2026.1.4, 2026.3.1, 2026.4.1 or 2026.5.0‑latest.1 are affected. The vulnerability is present in the plugin code that checks membership status before granting group access. The issue was fixed in the listed patch releases, so any deployment that has not yet been upgraded remains vulnerable.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the EPSS score is not available, which suggests the exploit probability is currently unclear but not known to be high. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood that a widespread exploit exists. The likely attack vector is remote through the web interface, where a user can request to join a subscription group and the system mistakenly allows access without verifying payment status.

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discourse and the discourse‑subscriptions plugin to version 2026.1.4 or later
  • Temporarily disable subscription‑gated groups or restrict their visibility until the patch is applied
  • Verify that admin group access controls enforce payment verification and reject users without valid subscriptions

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Title Discourse has a subscription access bypass in its discourse-subscriptions plugin
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T20:05:10.090Z

Reserved: 2026-03-25T20:12:04.196Z

Link: CVE-2026-34154

cve-icon Vulnrichment

Updated: 2026-05-19T20:04:33.991Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T19:16:49.660

Modified: 2026-05-19T21:08:41.030

Link: CVE-2026-34154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses