Medium severity5.3NVD Advisory· Published Mar 31, 2026· Updated Apr 9, 2026

CVE-2026-33074

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

Discourse (software)/Discourse2 versions
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*+ 1 more
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
- cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*range: >=2026.1.0,<2026.1.3

Patches

c34f2aac8dcd

https://github.com/discourse/discoursevia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/discourse/discourse/commit/c34f2aac8dcd1ae2886fa84256f607bc003f9d80nvdPatch
github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghhnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000