Discourse: Patreon Integration Secret Key Missing, Data at Risk

Summary

An attacker can create, modify, or delete Patreon data on your site if the secret key for Patreon webhooks is left blank. This is fixed in updated versions of Discourse. To stay safe, make sure to set a strong, non-blank secret key for Patreon webhooks on your Discourse site.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
discourse	discourse	<= 2025.12.0	–
discourse	discourse	> 2026.1.0 , <= 2026.1.1	–
discourse	discourse	2026.2.0	–

Original title

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook si...

Original description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty string as the key. Since the request body is known to the sender, the attacker can produce a matching signature and send arbitrary webhook payloads. This allows unauthorized creation, modification, or deletion of Patreon pledge data and triggering patron-to-group synchronization. This vulnerability is patched in versions 2025.12.2, 2026.1.1, and 2026.2.0. The fix rejects webhook requests when the webhook secret is not configured, preventing signature forgery with an empty key. As a workaround, configure the `patreon_webhook_secret` site setting with a strong, non-empty secret value. When the secret is non-empty, an attacker cannot forge valid signatures without knowing the secret.

nvd CVSS3.1 7.5

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/discourse/discourse/security/advisories/GHSA-frx4-wg35-4r68 Vendor Advisory