CVE-2026-26078
HMAC Signature Forgery in Discourse Patreon Webhook Allows Unauthorized Data Manipulation
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
| discourse | discourse | to 2025.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26078 is an authentication bypass vulnerability in the Patreon plugin webhook endpoint of the Discourse platform. When the `patreon_webhook_secret` site setting is left blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 using an empty string as the key.
Because the attacker knows the request body, they can generate matching signatures and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and enables triggering of patron-to-group synchronization without proper authorization.
The vulnerability is fixed in Discourse versions 2025.12.2, 2026.1.1, and 2026.2.0 by rejecting webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key.
As a workaround, configuring the `patreon_webhook_secret` site setting with a strong, non-empty secret value prevents attackers from forging valid signatures without knowing the secret.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to send unauthorized webhook payloads to the Discourse Patreon plugin, leading to unauthorized creation, modification, or deletion of Patreon pledge data.
It also enables attackers to trigger patron-to-group synchronization without authorization, potentially disrupting group memberships or access controls.
The integrity of Patreon-related data within the Discourse platform can be compromised, which may affect trust and data accuracy.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the configuration of the Discourse site setting `patreon_webhook_secret`. If this setting is blank or not configured, the system is vulnerable to signature forgery attacks.
To detect if your Discourse instance is vulnerable, you can verify the version of Discourse you are running and the value of the `patreon_webhook_secret` setting.
- Check Discourse version to see if it is prior to 2025.12.2, 2026.1.1, or 2026.2.0 (vulnerable versions).
- Use Discourse Rails console or API to check the `patreon_webhook_secret` value. For example, in the Rails console:
- `SiteSetting.patreon_webhook_secret`
If the output is blank or empty, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value.
This prevents attackers from forging valid webhook signatures because they cannot generate the correct HMAC-MD5 signature without knowing the secret.
Additionally, upgrading Discourse to one of the patched versions 2025.12.2, 2026.1.1, or 2026.2.0 will fully resolve the vulnerability by rejecting webhook requests when the secret is not configured.