CVE-2026-34154 Discourse has a subscription access bypass in its discourse-subscriptions plugin

🗓️ 19 May 2026 18:41:55Reported by GitHub_MType

Discourse subscription plugin flaw allows access to paid groups without payment; fixed in recent versions.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-34154	19 May 202618:41	–	attackerkb
CNNVD	Discourse 安全漏洞	19 May 202600:00	–	cnnvd
CVE	CVE-2026-34154	19 May 202618:41	–	cve
EUVD	EUVD-2026-30969	19 May 202618:41	–	euvd
NVD	CVE-2026-34154	19 May 202619:16	–	nvd
OSV	BIT-DISCOURSE-2026-34154 Discourse has a subscription access bypass in its discourse-subscriptions plugin	25 May 202614:46	–	osv
Positive Technologies	PT-2026-41996	19 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-34154	5 Jun 202619:50	–	redhatcve
Vulnrichment	CVE-2026-34154 Discourse has a subscription access bypass in its discourse-subscriptions plugin	19 May 202618:41	–	vulnrichment

[
  {
    "vendor": "discourse",
    "product": "discourse",
    "versions": [
      {
        "version": "< 2026.1.4",
        "status": "affected"
      },
      {
        "version": ">= 2026.3.0-latest, < 2026.3.1",
        "status": "affected"
      },
      {
        "version": ">= 2026.4.0-latest, < 2026.4.1",
        "status": "affected"
      },
      {
        "version": ">= 2026.5.0-latest, < 2026.5.0-latest.1",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g

19 May 2026 18:41Current

CVSS 42.1

EPSS0.00053

CWE-862