Access Control Flaw in Discourse's Subscription Plugin Affects Open-Source Platform
CVE-2026-34154

2.1LOW

Key Information:

Vendor: Discourse
Status: Discourse
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-34154?

A vulnerability in the subscriptions plugin of Discourse enables users to access subscription-gated groups without the requisite payment, compromising the intended subscription model. This defect exists in versions of Discourse preceding 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1, but has been remedied in subsequent updates.

Affected Version(s)

discourse < 2026.1.4 < 2026.1.4

discourse >= 2026.3.0-latest, < 2026.3.1 < 2026.3.0-latest, 2026.3.1

discourse >= 2026.4.0-latest, < 2026.4.1 < 2026.4.0-latest, 2026.4.1

References

https://github.com/discourse/discourse/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34154 Data

JSON