CVE-2026-26078

{"id": "CVE-2026-26078", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T16:24:06.997", "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2025.12.2, 2026.1.1 y 2026.2.0, cuando la configuraci\u00f3n del sitio 'patreon_webhook_secret' est\u00e1 en blanco, un atacante puede falsificar firmas de webhook v\u00e1lidas calculando un HMAC-MD5 con una cadena vac\u00eda como clave. Dado que el cuerpo de la solicitud es conocido por el remitente, el atacante puede producir una firma coincidente y enviar cargas \u00fatiles de webhook arbitrarias. Esto permite la creaci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n no autorizada de datos de promesas de Patreon y el desencadenamiento de la sincronizaci\u00f3n de mecenas a grupo. Esta vulnerabilidad est\u00e1 parcheada en las versiones 2025.12.2, 2026.1.1 y 2026.2.0. La correcci\u00f3n rechaza las solicitudes de webhook cuando el secreto de webhook no est\u00e1 configurado, evitando la falsificaci\u00f3n de firmas con una clave vac\u00eda. Como soluci\u00f3n alternativa, configure la configuraci\u00f3n del sitio 'patreon_webhook_secret' con un valor secreto fuerte y no vac\u00edo. Cuando el secreto no est\u00e1 vac\u00edo, un atacante no puede falsificar firmas v\u00e1lidas sin conocer el secreto."}], "lastModified": "2026-03-02T21:52:09.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DB837D7-28C8-4E0F-B55F-AAAA36F32035", "versionEndExcluding": "2025.12.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CAFCC9D-53D7-4017-85A5-EE6CA5A6A11C", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "2026.1.0"}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.2.0:*:*:*:latest:*:*:*", "vulnerable": true, "matchCriteriaId": "BB002FDC-BC71-4C46-8AAF-A34EC717E0E7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}