CVE-2026-33073
Received Received - Intake
API Key Exposure in Discourse-Subscriptions Plugin on Multisite

Publication date: 2026-03-31

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33073
EUVD
EUVD-2026-17567
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
discourse discourse 2026.3.0
discourse discourse From 2026.1.0 (inc) to 2026.1.3 (exc)
discourse discourse From 2026.2.0 (inc) to 2026.2.2 (exc)
discourse discourse 2026.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33073 is a vulnerability in the discourse-subscriptions plugin used in Discourse multisite environments. It causes leakage of Stripe API keys across different sites within the same multisite cluster, potentially exposing sensitive Stripe-related information to unauthorized sites.

The issue arises because the plugin improperly isolates Stripe API keys in a multisite setup, allowing cross-site leakage. Exploitation requires network access, low privileges, and active user interaction, with high complexity due to security mechanisms in place.

The vulnerability affects versions from 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. It has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Impact Analysis

This vulnerability can lead to leakage of Stripe API keys across sites within the same multisite cluster, potentially exposing sensitive payment-related information to unauthorized parties.

The impact is primarily on confidentiality and integrity at a low level, meaning limited unauthorized information disclosure and modification could occur.

There is no impact on system availability.

An attacker with low privileges and network access, requiring active user interaction, could exploit this vulnerability, but the attack complexity is high due to existing security conditions.

Detection Guidance

This vulnerability involves leakage of Stripe API keys across sites in a Discourse multisite cluster due to improper isolation in the discourse-subscriptions plugin. Detection involves verifying if your Discourse installation is running an affected version of the discourse-subscriptions plugin (versions from 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, or 2026.3.0-latest to before 2026.3.0).

You can check the installed plugin version by running commands within your Discourse environment or container, for example:

  • Check the discourse-subscriptions plugin version in your Discourse installation by inspecting the plugin directory or using git commands if installed via git: `cd /var/www/discourse/plugins/discourse-subscriptions && git describe --tags`
  • Search your Discourse logs or network traffic for unexpected Stripe API key exposure or cross-site API calls.
  • Monitor network traffic for Stripe API keys being sent or received across different sites in the multisite cluster.

Since the vulnerability requires network access and low privileges, also review access logs for suspicious activity involving subscription finalization endpoints or Stripe API usage.

Mitigation Strategies

The primary immediate mitigation is to upgrade the discourse-subscriptions plugin to a patched version: 2026.1.3, 2026.2.2, or 2026.3.0 or later, depending on your Discourse version.

If upgrading immediately is not possible, the recommended workaround is to remove the discourse-subscriptions plugin entirely to prevent Stripe API key leakage across sites.

Additionally, review and restrict access to the subscription finalize endpoint to prevent unauthorized group access.

Ensure that your environment does not use global Stripe API key settings and that Stripe API keys are handled per request as per the patched plugin implementation.

Compliance Impact

The vulnerability in the discourse-subscriptions plugin causes leakage of Stripe API keys across sites within the same multisite cluster, potentially exposing sensitive payment-related information to unauthorized parties.

Such leakage of sensitive financial API keys could lead to unauthorized access to payment processing data, which may impact compliance with standards and regulations that require protection of sensitive data, such as GDPR and HIPAA.

However, the vulnerability is rated with a low severity (CVSS v4 base score 2.0) and the impact is limited to low confidentiality and integrity issues without availability impact.

Organizations using affected versions should upgrade to patched versions or remove the plugin to mitigate risks and maintain compliance with data protection requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33073. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart