Primary

Context

Discourse Discourse-Subscriptions Plugin Subscription Access Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in the Discourse platform's discourse-subscriptions plugin, allowing users to access subscription-gated groups without making a payment. This issue is present in Discourse versions prior to 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1.

Impact

Exploitation of this vulnerability allows users to bypass payment requirements and gain unauthorized access to subscription-gated groups.

Remediation

Users can update to Discourse versions 2026.1.4, 2026.3.1, 2026.4.1, or 2026.5.0-latest.1 to address this vulnerability. Alternatively, the discourse-subscriptions plugin can be disabled.

Added: May 19, 2026, 7:24 PM

Updated: May 19, 2026, 7:24 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.3

exploitability

3.3

remediation

8.3

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

1.3

exploitability

3.3

remediation

8.3

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discourse Discourse-Subscriptions Plugin Subscription Access Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Discourse

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating