Missing Authentication for Critical Function in Discourse - CVE-2026-26078
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to modify or delete Patreon pledge data and trigger patron-to-group synchronization.
The vulnerability exists due to improper authentication in the Patreon plugin webhook endpoint when handling webhook requests with a blank patreon_webhook_secret site setting. A remote attacker can send a specially crafted webhook payload with a forged signature to modify or delete Patreon pledge data and trigger patron-to-group synchronization.
Exploitation is possible only when the patreon_webhook_secret site setting is left empty.