Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0901

NIXPKGS-2026-0901
published on
Permalink CVE-2026-33074
updated 2 days, 13 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 17 hours ago
  • @LeSuisse removed package discourse-mail-receiver 2 days, 14 hours ago
  • @LeSuisse removed package python312Packages.pydiscourse 2 days, 14 hours ago
  • @LeSuisse removed package python313Packages.pydiscourse 2 days, 14 hours ago
  • @LeSuisse removed package python314Packages.pydiscourse 2 days, 14 hours ago
  • @LeSuisse removed package grafanaPlugins.grafana-discourse-datasource 2 days, 14 hours ago
  • @LeSuisse removed maintainer @talyz 2 days, 14 hours ago
  • @LeSuisse accepted 2 days, 14 hours ago
  • @LeSuisse published on GitHub 2 days, 13 hours ago
Discourse: Vulnerability in discourse-subscriptions plugin allowing users to self-grant to higher tier subscriptions

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher tier subscription. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

discourse
  • ==>= 2026.2.0-latest, < 2026.2.2
  • ==>= 2026.1.0-latest, < 2026.1.3
  • ==>= 2026.3.0-latest, < 2026.3.0

Matching in nixpkgs

Package maintainers

Ignored maintainers (1) 
https://github.com/discourse/discourse/security/advisories/GHSA-9vg5-mp49-xghh