CVE-2026-26078

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2025.12.2 Discourse versions prior to 2026.1.1 Discourse versions prior to 2026.2.0

Description Discourse, an open source discussion platform, is susceptible to a security issue. When the patreon webhook secret site setting is not configured (blank), an attacker can create valid webhook signatures using an HMAC-MD5 calculation with an empty string as the key. Because the request body is known to the attacker, they can generate a matching signature and send malicious webhook payloads. This can lead to unauthorized actions, including the creation, modification, or deletion of Patreon pledge data and the triggering of patron-to-group synchronization. The issue is resolved by rejecting webhook requests when the webhook secret is not configured.

Recommendations Versions prior to 2025.12.2: Configure the patreon webhook secret site setting with a strong, non-empty secret value. Versions prior to 2026.1.1: Configure the patreon webhook secret site setting with a strong, non-empty secret value. Versions prior to 2026.2.0: Configure the patreon webhook secret site setting with a strong, non-empty secret value.