Skip to main content

Discourse Subscriptions CVE-2026-34154

| EUVDEUVD-2026-30969 LOW
Missing Authorization (CWE-862)
2026-05-19 GitHub_M
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
May 19, 2026 - 20:02 EUVD
Analysis Generated
May 19, 2026 - 19:31 vuln.today
CVSS changed
May 19, 2026 - 19:22 NVD
2.1 (LOW)

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.

AnalysisAI

Payment bypass in the discourse-subscriptions plugin allows unauthenticated users to gain membership in subscription-gated groups without completing a financial transaction. Affected are all Discourse installations running the subscriptions plugin prior to fixed versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.1 reflects high attack complexity, required user interaction, and limited confidentiality impact confined to the vulnerable system.

Technical ContextAI

Discourse is an open-source Ruby on Rails-based discussion platform. The discourse-subscriptions plugin extends Discourse with payment-gated group membership, typically backed by a payment processor. CWE-862 (Missing Authorization) identifies the root cause: the plugin fails to enforce a server-side check confirming payment completion before granting group access, allowing the authorization gate to be bypassed. The CPE string cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:* spans all Discourse versions, but exploitation is scoped to instances with the subscriptions plugin installed and subscription-gated groups configured. The CVSS 4.0 vector designates AT:P (attack requirements present), confirming that a specific deployment precondition - the subscriptions plugin with paid groups - must be in place.

RemediationAI

Vendor-released patch: 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Administrators should upgrade Discourse and the discourse-subscriptions plugin to the appropriate fixed release for their track as documented in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g. If immediate upgrade is not possible, a compensating control is to disable or deactivate the discourse-subscriptions plugin until patching can occur - this eliminates the attack surface entirely but also removes subscription functionality for legitimate users. Alternatively, administrators can manually audit group memberships for users who did not complete payment and revoke unauthorized access. No other specific workarounds are documented in the available advisory data.

CVE-2025-48954 HIGH POC
8.1 Jun 25

Discourse versions prior to 3.5.0.beta6 contain a reflected cross-site scripting (XSS) vulnerability in social login fun

CVE-2024-47773 HIGH POC
8.2 Oct 08

Discourse is an open source platform for community discussion. Rated high severity (CVSS 8.2), this vulnerability is rem

CVE-2021-3138 HIGH POC
7.5 Jan 14

In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. Rated

CVE-2023-38706 MEDIUM POC
6.5 Sep 15

Discourse is an open-source discussion platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2024-53991 MEDIUM POC
5.9 Dec 19

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.9), this vulnerability is r

CVE-2025-48877 CRITICAL
9.8 Jun 09

Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vu

CVE-2023-47121 CRITICAL
9.8 Nov 10

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-41163 CRITICAL
9.8 Oct 20

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2024-49765 CRITICAL
9.1 Dec 19

Discourse is an open source platform for community discussion. Rated critical severity (CVSS 9.1), this vulnerability is

CVE-2026-53963 CRITICAL
9.0 Jul 09

Stored cross-site scripting in the Discourse discussion platform allows a low-privileged registered user to set a malici

CVE-2022-39356 HIGH
8.8 Nov 02

Discourse is a platform for community discussion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit

CVE-2026-27934 HIGH
8.7 Mar 19

Unauthorized information disclosure in Discourse discussion platform versions prior to 2026.3.0-latest.1, 2026.2.1, and

Share

CVE-2026-34154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy