CVE-2026-34154— Discourse has a subscription access bypass in its discourse-subscriptions plugin
Possible ATT&CK Techniques 1AI
T1136 · Create AccountGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34154
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Discourse has a subscription access bypass in its discourse-subscriptions plugin
Source: NVD (National Vulnerability Database)
Vulnerability Description
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Discourse 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 2026.1.4之前版本、2026.3.1之前版本、2026.4.1之前版本和2026.5.0-latest.1之前版本存在安全漏洞,该漏洞源于discourse-subscriptions插件允许用户无需完成支付即可访问订阅限制组。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-34154
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-34154
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-34154 (1)
Same Patch Batch · discourse · 2026-05-19 · 3 CVEs total
| CVE-2026-32244 | 5.3 MEDIUM | Discourse: Cached outdated summaries can leak removed content |
| CVE-2026-33514 | Discourse: Information Disclosure in Form Template API Due to Missing Authorization |
IV. Related Vulnerabilities
Same product: discourse
- CVE-2026-33514
Discourse: Information Disclosure in Form Template API Due t - CVE-2026-32244
Discourse: Cached outdated summaries can leak removed conten - CVE-2026-34947
Discourse: Staged user custom fields are exposed on public i - CVE-2026-27481
Discourse: Hidden tag visibility bypass on tag routes - CVE-2026-33415
Discourse: Improper Access Control in discourse-ai Allows Un
Same vendor: discourse
- CVE-2026-33514
Discourse: Information Disclosure in Form Template API Due t - CVE-2026-32244
Discourse: Cached outdated summaries can leak removed conten - CVE-2026-34947
Discourse: Staged user custom fields are exposed on public i - CVE-2026-27481
Discourse: Hidden tag visibility bypass on tag routes - CVE-2026-33415
Discourse: Improper Access Control in discourse-ai Allows Un
Same weakness: CWE-862
- CVE-2026-2601
Missing Authorization in GitLab - CVE-2026-5296
Missing Authorization in GitLab - CVE-2026-45717
Budibase: `PUT /api/datasources/:datasourceId` is protected - CVE-2026-46425
Budibase: SCIM endpoints lack role-based authorization, BASI - CVE-2026-48151
Budibase: Webhook schema endpoint authorization bypass allow
V. Comments for CVE-2026-34154
No comments yet