CVE-2026-34154
Unauthorized Group Access in Discourse via Subscription Plugin
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | to 2026.1.4 (exc) |
| discourse | discourse | From 2026.1.0-latest (inc) to 2026.5.0-latest.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the discourse-subscriptions plugin for the Discourse platform. It allows users to gain unauthorized access to subscription-gated groups without completing the required payment.
The issue affects versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1 and has been fixed in these versions.
Exploitation requires network access, high attack complexity, and active user interaction, but no special privileges are needed.
How can this vulnerability impact me? :
The vulnerability allows unauthorized users to access subscription-gated groups without paying, potentially bypassing payment controls.
However, the severity is classified as low with a CVSS score of 2.1, indicating limited impact on confidentiality, integrity, or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you can disable the discourse-subscriptions plugin until you apply the patched versions.
The vulnerability has been fixed in Discourse versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, so updating to one of these versions is recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to access subscription-gated groups without payment, which could potentially lead to unauthorized access to restricted content.
However, the severity is classified as low with a CVSS score of 2.1, indicating limited impact on confidentiality, integrity, or availability.
There is no specific information provided about direct impacts on compliance with standards such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the discourse-subscriptions plugin in Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. Detection involves verifying the installed Discourse version and whether the vulnerable plugin is enabled.
To detect if your system is vulnerable, check the Discourse version and the status of the discourse-subscriptions plugin. If the version is older than the patched releases and the plugin is enabled, your system may be vulnerable.
Specific commands to check the Discourse version and plugin status depend on your deployment method, but generally you can:
- Access the Discourse admin panel and check the version number under 'About' or 'Updates'.
- Check the plugin list in the Discourse admin interface to see if discourse-subscriptions is enabled.
- If you have shell access to the server, you can check the version by running commands like `cd /var/discourse && git show -s --format=%ci HEAD` to see the current commit date, or `grep discourse-subscriptions plugins/*.rb` to verify plugin presence.
No specific network detection commands or signatures are provided for this vulnerability, as exploitation requires user interaction and network access but does not produce distinct network indicators.