Discourse Subscription Flaw Lets Users Grab Higher Tiers
CVE Notify is flagging a vulnerability in the popular open-source discussion platform, Discourse. The bug, tracked as CVE-2026-33074, allows a crafty user to potentially snag premium subscription benefits without actually paying for the higher tier. Essentially, they can purchase a cheaper subscription and then exploit the flaw to unlock features reserved for more expensive plans.
This exploit impacts several versions of Discourse, specifically affecting the 2026.1.0, 2026.2.0, and 2026.3.0 release lines prior to their respective patch versions. CVE Notify points out that the issue has been addressed and fixed in Discourse versions 2026.1.3, 2026.2.2, and 2026.3.0. The fix was implemented via a commit to the Discourse GitHub repository, indicating the development team has closed the loop on this particular security hole.
What This Means For You
- Immediately verify that your Discourse instance is updated to at least version 2026.1.3, 2026.2.2, or 2026.3.0 to mitigate the risk of subscription tier abuse.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33074 | Auth Bypass | Discourse, versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. Vulnerability allows users to purchase a lower tier subscription but gain benefits of a higher tier subscription. |