What is the CVSS score of CVE-2026-26078?

CVE-2026-26078 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Discourse are affected by CVE-2026-26078?

Discourse instances with blank Patreon webhook secrets are vulnerable to forged webhook attacks, allowing attackers to manipulate pledge data and trigger unauthorized actions without a patch…

How to fix or mitigate CVE-2026-26078?

Within 24 hours: Audit all Discourse instances to identify those with blank patreon_webhook_secret settings and disable Patreon webhook functionality if not actively used. Within 7 days: For instances requiring Patreon integration, generate and configure a strong random webhook secret value immediately, and implement WAF rules to restrict webhook endpoint access to known Patreon IP ranges. Within 30 days: Establish a change management process to prevent webhook secrets from being left blank, and monitor for suspicious webhook activity in Discourse logs.

Discourse CVE-2026-26078

HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-02-26 security-advisories@github.com

Authentication Bypass Discourse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 26, 2026 - 16:24 nvd

HIGH 7.5

DescriptionGitHub Advisory

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreon_webhook_secret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the patreon_webhook_secret site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

AnalysisAI

Discourse instances with an unconfigured patreon_webhook_secret allow remote attackers to forge valid webhook signatures using an empty HMAC-MD5 key, enabling arbitrary creation, modification, or deletion of Patreon pledge data and unauthorized patron synchronization. The vulnerability affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, and currently lacks an available patch. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify blank patreon_webhook_secret setting

Delivery

Compute HMAC-MD5 with empty key

Exploit

Forge valid webhook signature

Execution

Send arbitrary Patreon webhook payload

Impact

Modify pledge data and group synchronization

Access

Identify blank patreon_webhook_secret setting

Delivery

Compute HMAC-MD5 with empty key

Exploit

Forge valid webhook signature

Execution

Send arbitrary Patreon webhook payload

Impact

Modify pledge data and group synchronization

Vulnerability AssessmentAI

Exploitation	patreon_webhook_secret site setting must be blank (unconfigured). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Discourse instances to identify those with blank patreon_webhook_secret settings and disable Patreon webhook functionality if not actively used. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44786 HIGH This Week

7.5 Jun 12

Information disclosure in Discourse discussion platform allows any MessageBus subscriber to receive real-time chat messa

CVE-2026-45775 MEDIUM This Month

6.8 Jun 12

Path traversal in Discourse's backup download handler allows an authenticated administrator on one site within a multisi

CVE-2026-44784 MEDIUM This Month

6.5 Jun 12

Discourse group owners can retrieve plaintext SMTP credentials - including passwords, usernames, server, port, and SSL m

CVE-2026-44783 MEDIUM This Month

5.4 Jun 12

Whisper channel access control in Discourse can be bypassed by any authenticated forum user, allowing injection of conte

CVE-2026-45085 MEDIUM This Month

5.3 Jun 12

Discourse chat plugin across versions 2026.1.0-2026.4.x contains four authorization deficiencies (CWE-862) enabling both

CVE-2026-26078 vulnerability details – vuln.today

Back

Discourse CVE-2026-26078

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code