CVE-2026-26078
Published: 26 February 2026
Summary
CVE-2026-26078 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Discourse web app (webhook endpoint) directly enables T1190 exploitation without authentication; forged payloads allow direct stored data manipulation (create/modify/delete Patreon pledges and group sync mappings).
NVD Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since…
more
the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.
Deeper analysisAI
CVE-2026-26078 is a vulnerability in Discourse, an open source discussion platform, affecting versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The issue occurs when the `patreon_webhook_secret` site setting is left blank, enabling an attacker to forge valid webhook signatures. This forgery is achieved by computing an HMAC-MD5 signature using an empty string as the key, as the request body is fully controllable by the sender.
Any unauthenticated attacker with network access can exploit this vulnerability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, score 7.5; CWE-639). By crafting a known request body and its matching signature, the attacker can deliver arbitrary webhook payloads, resulting in unauthorized creation, modification, or deletion of Patreon pledge data, as well as triggering unwanted patron-to-group synchronization.
Discourse patched the vulnerability in versions 2025.12.2, 2026.1.1, and 2026.2.0 by rejecting webhook requests when the secret is not configured, thereby preventing empty-key signature forgery. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value, which ensures attackers cannot forge signatures without knowledge of the secret. Additional details are in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68.
Details
- CWE(s)