Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26078

Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
Back to all
CVE

CVE-2026-26078

Discourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the patreonwebhooksecret site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the patreonwebhooksecret site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26078.json, https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68, https://nvd.nist.gov/vuln/detail/CVE-2026-26078

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00044%
EPSS Percentile
0.13503%
Introduced Version
0,322d3c0ac6a8f133b3f82875e9dbbe310f638c1b,f7cec86997edc21d6074ceb7666f7e2e6e1b1fdf
Fix Available
9c924c6f4f3885ab616e21bec2447af7056b4322,8a2a8b7d3a494435949a12ad078b22509f54bd58,f7cec86997edc21d6074ceb7666f7e2e6e1b1fdf

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading