Discourse Patreon Webhook Signature Forgery Vulnerability Allowing Unauthorized Data Manipulation

A vulnerability in Discourse's Patreon integration allows for the forgery of webhook signatures, enabling unauthorized actions on Patreon pledge data. This issue affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0. The vulnerability arises when the 'patreon_webhook_secret' site setting is empty, allowing attackers to compute valid HMAC-MD5 signatures and send arbitrary webhook payloads. Exploitation can lead to unauthorized creation, modification, or deletion of Patreon pledge information and disrupt patron-to-group synchronization.

Impact

Successful exploitation allows attackers to manipulate Patreon pledge data, including unauthorized creation, modification, or deletion of pledge information, and disrupt patron-to-group synchronization.

Remediation

Users can update to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0 to address this vulnerability. As an additional step, configure the 'patreon_webhook_secret' site setting with a strong, non-empty secret value. When this secret is set, signature forgery is not possible without knowledge of the secret.