EUVD-2026-17567
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Analysis
Discourse versions 2026.1.0-2026.1.2, 2026.2.0-2026.2.1, and 2026.3.0 leak Stripe API keys across sites in multisite cluster deployments due to improper credential isolation in the discourse-subscriptions plugin, allowing authenticated users with UI access on one site to view payment credentials belonging to other sites within the same cluster. CVSS 2.0 reflects low severity (information disclosure only, requires authentication and user interaction), but the exposure of payment processor credentials carries material business risk. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today