Discourse Subscription Tier Escalation before 2026.2.2
CVE-2026-33074 Published on March 31, 2026
Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
Weakness Types
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-33074 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-33074
Want to know whenever a new CVE is published for Discourse? stack.watch will email you.
Affected Versions
discourse:- Version >= 2026.1.0-latest, < 2026.1.3 is affected.
- Version >= 2026.2.0-latest, < 2026.2.2 is affected.
- Version >= 2026.3.0-latest, < 2026.3.0 is affected.