Discourse Discourse-Subscriptions Plugin Stripe API Key Leakage Vulnerability in Multisite Environments

A vulnerability exists in the Discourse open-source discussion platform, specifically within the discourse-subscriptions plugin. This issue affects Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The vulnerability allows for the leakage of Stripe API keys across sites within the same multisite cluster, potentially exposing Stripe-related information between those sites.

Impact

The vulnerability could lead to unauthorized access to Stripe API keys, allowing for the interception or misuse of Stripe-related data and functionalities across different sites in a multisite Discourse installation.

Reproduction

In a multisite Discourse environment with the affected versions of the discourse-subscriptions plugin, the Stripe API key is set globally. When a request is made to the Stripe API, this global key is used, which can lead to leakage across concurrent requests in a multi-threaded environment. This vulnerability can be reproduced by creating a subscription that requires 3D Secure authentication, and then manually supplying a different plan ID during the finalization process, which is not the one actually paid for.

Remediation

Users are advised to update to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0. If an immediate update is not possible, the discourse-subscriptions plugin can be removed as a temporary workaround.