CVE-2026-26078
Published: 26 February 2026
Summary
CVE-2026-26078 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-26078 is a vulnerability in Discourse, an open source discussion platform, affecting versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The issue occurs when the `patreon_webhook_secret` site setting is left blank, enabling an attacker to forge valid webhook signatures. This forgery is achieved by computing an HMAC-MD5 signature using an empty string as the key, as the request body is fully controllable by the sender.
Any unauthenticated attacker with network access can exploit this vulnerability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, score 7.5; CWE-639). By crafting a known request body and its matching signature, the attacker can deliver arbitrary webhook payloads, resulting in unauthorized creation, modification, or deletion of Patreon pledge data, as well as triggering unwanted patron-to-group synchronization.
Discourse patched the vulnerability in versions 2025.12.2, 2026.1.1, and 2026.2.0 by rejecting webhook requests when the secret is not configured, thereby preventing empty-key signature forgery. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value, which ensures attackers cannot forge signatures without knowledge of the secret. Additional details are in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8856
Vulnerability details
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since…
more
the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Discourse web app (webhook endpoint) directly enables T1190 exploitation without authentication; forged payloads allow direct stored data manipulation (create/modify/delete Patreon pledges and group sync mappings).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires the system to identify and authenticate external services like Patreon webhooks using mechanisms such as HMAC signatures with properly configured secrets, directly preventing forgery when the secret is blank.
Mandates management of authenticators including webhook secrets to ensure they have sufficient strength, are not left as default empty values, and protect against unauthorized disclosure or weak usage.
Establishes and enforces configuration settings for site parameters like patreon_webhook_secret to use strong non-empty values, aligning with the CVE workaround and patch behavior of rejecting unconfigured secrets.