Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

INFO

Published Date :

2026-02-26T15:00:47.130Z

Last Modified :

2026-02-27T16:17:41.410Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26078 vulnerability.

Vendors Products
Discourse
  • Discourse
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26078.

URL Resource
https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact