Cyber Resilience

CVE-2026-26078

High

Published: 26 February 2026

Published
26 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0006 18.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26078 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Discourse Discourse. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-26078 is a vulnerability in Discourse, an open source discussion platform, affecting versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The issue occurs when the `patreon_webhook_secret` site setting is left blank, enabling an attacker to forge valid webhook signatures. This forgery is achieved by computing an HMAC-MD5 signature using an empty string as the key, as the request body is fully controllable by the sender.

Any unauthenticated attacker with network access can exploit this vulnerability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, score 7.5; CWE-639). By crafting a known request body and its matching signature, the attacker can deliver arbitrary webhook payloads, resulting in unauthorized creation, modification, or deletion of Patreon pledge data, as well as triggering unwanted patron-to-group synchronization.

Discourse patched the vulnerability in versions 2025.12.2, 2026.1.1, and 2026.2.0 by rejecting webhook requests when the secret is not configured, thereby preventing empty-key signature forgery. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value, which ensures attackers cannot forge signatures without knowledge of the secret. Additional details are in the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68.

EU & UK References

Vulnerability details

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since…

more

the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability in public-facing Discourse web app (webhook endpoint) directly enables T1190 exploitation without authentication; forged payloads allow direct stored data manipulation (create/modify/delete Patreon pledges and group sync mappings).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26265Same product: Discourse Discourse
CVE-2025-23023Same product: Discourse Discourse
CVE-2024-55948Same product: Discourse Discourse
CVE-2026-29072Same product: Discourse Discourse
CVE-2026-27934Same product: Discourse Discourse
CVE-2026-31805Same product: Discourse Discourse
CVE-2025-68479Same product: Discourse Discourse
CVE-2026-23743Same product: Discourse Discourse
CVE-2025-68662Same product: Discourse Discourse
CVE-2026-33427Same product: Discourse Discourse

Affected Assets

discourse
discourse
2026.2.0 · ≤ 2025.12.0 · 2026.1.0 — 2026.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the system to identify and authenticate external services like Patreon webhooks using mechanisms such as HMAC signatures with properly configured secrets, directly preventing forgery when the secret is blank.

prevent

Mandates management of authenticators including webhook secrets to ensure they have sufficient strength, are not left as default empty values, and protect against unauthorized disclosure or weak usage.

prevent

Establishes and enforces configuration settings for site parameters like patreon_webhook_secret to use strong non-empty values, aligning with the CVE workaround and patch behavior of rejecting unconfigured secrets.

References