CVE-2026-33074 Overview
CVE-2026-33074 is a Privilege Escalation vulnerability affecting Discourse, an open-source discussion platform. This flaw allows a user to purchase a lower tier subscription but grant themselves the benefits associated with a higher tier subscription. The vulnerability exists in the discourse-subscriptions plugin's Stripe integration, where improper privilege management enables unauthorized access to premium features.
Critical Impact
Attackers can bypass subscription tier restrictions to gain access to premium features and benefits without proper payment, potentially causing financial losses and service abuse for platform operators.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-33074 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33074
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management). The flaw resides in how the discourse-subscriptions plugin handles Stripe API requests and subscription tier validation. Due to improper access control mechanisms in the Stripe integration module, users can manipulate their subscription tier benefits without proper authorization checks.
The vulnerability allows network-based attacks that require some complexity to exploit. While the attack does not compromise confidentiality or availability, it does impact the integrity of the subscription system by allowing unauthorized privilege elevation.
Root Cause
The root cause lies in the improper handling of Stripe API key configuration within the discourse-subscriptions plugin. The original implementation used a before_action callback to set the API key globally via set_api_key, which created a security gap in how subscription requests were authenticated and authorized. This allowed users to potentially manipulate subscription tier assignments during the purchase flow.
Attack Vector
The attack is conducted over the network and requires the attacker to have an account on the vulnerable Discourse instance. The attacker can exploit the subscription purchase flow to request a lower tier subscription while obtaining the benefits of a higher tier. This is achieved by manipulating the subscription request parameters during the Stripe checkout process.
The following patch addresses the vulnerability by changing how Stripe API requests are handled:
module Stripe
extend ActiveSupport::Concern
- def set_api_key
- ::Stripe.api_key = SiteSetting.discourse_subscriptions_secret_key
+ def self.request_opts
+ { api_key: SiteSetting.discourse_subscriptions_secret_key }
+ end
+
+ def stripe_request_opts
+ DiscourseSubscriptions::Stripe.request_opts
end
def is_stripe_configured?
Source: GitHub Commit c34f2aac
The fix also updates how Stripe API calls are made throughout the plugin:
requires_plugin PLUGIN_NAME
- before_action :set_api_key
-
def index
begin
- promo_codes = ::Stripe::PromotionCode.list({ limit: 100 })[:data]
+ promo_codes = ::Stripe::PromotionCode.list({ limit: 100 }, stripe_request_opts)[:data]
promo_codes = promo_codes.select { |code| code[:coupon][:valid] == true }
render_json_dump promo_codes
rescue ::Stripe::InvalidRequestError => e
Source: GitHub Commit c34f2aac
Detection Methods for CVE-2026-33074
Indicators of Compromise
- Users with subscription tier benefits that do not match their payment records in Stripe
- Anomalous subscription creation requests with mismatched tier parameters
- Log entries showing subscription tier assignments that differ from the purchased plan
Detection Strategies
- Monitor Stripe webhook events for discrepancies between subscription purchases and tier assignments
- Audit user subscription records against Stripe payment history for tier mismatches
- Review application logs for unusual patterns in subscription controller actions
Monitoring Recommendations
- Enable detailed logging for the discourse-subscriptions plugin
- Set up alerts for subscription tier changes that bypass the normal purchase flow
- Implement Stripe Dashboard monitoring for unusual subscription patterns
How to Mitigate CVE-2026-33074
Immediate Actions Required
- Update Discourse to patched versions 2026.1.3, 2026.2.2, or 2026.3.0 immediately
- Audit existing user subscriptions for potential tier privilege mismatches
- Review Stripe payment records against assigned user benefits
Patch Information
The vulnerability has been addressed in Discourse versions 2026.1.3, 2026.2.2, and 2026.3.0. The patch modifies the Stripe API key handling to use per-request options instead of a global setting, improving the security of subscription tier validation. For detailed information, refer to the GitHub Security Advisory GHSA-9vg5-mp49-xghh.
Workarounds
- Manually audit all subscription tier assignments against Stripe payment records
- Temporarily disable the discourse-subscriptions plugin until the patch can be applied
- Implement additional server-side validation of subscription tiers in a custom plugin
# Update Discourse to the latest patched version
cd /var/discourse
./launcher rebuild app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
