Plattform
discourse
Komponente
discourse-subscriptions
Behoben in
2026.1.1
2026.2.1
2026.3.1
CVE-2026-33074 is a vulnerability affecting the discourse-subscriptions plugin for the Discourse discussion platform. It allows a user to potentially bypass subscription tier restrictions, gaining access to features and privileges associated with higher-tier subscriptions despite paying for a lower one. This vulnerability impacts Discourse versions 2026.1.0–>= 2026.3.0-latest, and < 2026.3.0. Patches are available in versions 2026.1.3, 2026.2.2, and 2026.3.0.
The core impact of CVE-2026-33074 lies in the potential for unauthorized access to premium features and content within a Discourse instance. An attacker could exploit this to gain benefits typically reserved for higher-paying subscribers, such as increased posting limits, access to exclusive forums, or priority support. This could lead to unfair advantages, disruption of the platform's monetization model, and potentially even abuse of administrative privileges if higher tiers grant such access. The blast radius is limited to users who are actively purchasing subscriptions and those who manage the subscription tiers within the Discourse platform.
CVE-2026-33074 was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the nature of the vulnerability and the lack of public exploits, the probability of exploitation is considered low.
Discourse instances utilizing the discourse-subscriptions plugin, particularly those running versions 2026.1.0–>= 2026.3.0-latest, and < 2026.3.0, are at risk. This includes organizations relying on Discourse for community forums and those monetizing their platforms through subscription tiers.
• wordpress / composer / npm:
grep -r 'subscriptions.purchase' /var/discourse/plugins/• generic web:
curl -I https://your-discourse-instance.com/subscriptions/purchase | grep HTTP/1.1 200 OKdisclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33074 is to immediately upgrade the Discourse instance to a patched version: 2026.1.3, 2026.2.2, or 2026.3.0. If an immediate upgrade is not feasible due to compatibility concerns or downtime requirements, consider temporarily restricting the ability for users to purchase subscriptions until the upgrade can be performed. Review existing subscription data for any anomalies indicating potential exploitation. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to monitor for suspicious subscription purchase patterns or unusual access attempts to higher-tier features. There are no specific Sigma or YARA rules applicable to this vulnerability.
Aktualisieren Sie das Plugin discourse-subscriptions auf die Versionen 2026.1.3, 2026.2.2 oder 2026.3.0 oder eine spätere Version. Dies behebt die Schwachstelle, die es Benutzern ermöglicht, sich selbst Vorteile höherwertiger Abonnements zuzuweisen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33074 is a vulnerability in the Discourse platform's discourse-subscriptions plugin that allows users to potentially gain access to higher-tier subscription benefits by purchasing a lower tier. This impacts subscription functionality and could lead to unauthorized access.
You are affected if your Discourse instance uses the discourse-subscriptions plugin and is running versions 2026.1.0–>= 2026.3.0-latest, and < 2026.3.0. Check your version and upgrade if necessary.
Upgrade your Discourse instance to version 2026.1.3, 2026.2.2, or 2026.3.0. These versions include a patch for this vulnerability.
As of now, there are no known active exploits or confirmed exploitation campaigns targeting CVE-2026-33074.
Refer to the official Discourse security advisory for detailed information and updates regarding CVE-2026-33074: [https://github.com/discourse/discourse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.