CVE-2026-33073

# Conceptual Proof of Concept for CVE-2026-33073 # This script demonstrates how one might check for leaked Stripe keys in a multi-site setup. import requests def check_stripe_leak(target_url): headers = { 'User-Agent': 'CVE-2026-33073-Scanner' } try: # In a real scenario, the specific endpoint leaking the key would be targeted response = requests.get(target_url, headers=headers, timeout=10) if response.status_code == 200: content = response.text # Stripe keys usually start with sk_live_, sk_test_, pk_live_, pk_test_ if 'sk_live_' in content or 'pk_live_' in content: print(f"[!] Potential Stripe API Key Leak found at: {target_url}") print(f"[+] Context: {content[:100]}...") return True else: print(f"[-] No leak detected at: {target_url}") return False except requests.RequestException as e: print(f"[Error] Request failed: {e}") return False # Example usage # target = "http://target-discourse-site.com/some/endpoint" # check_stripe_leak(target)

{"cve": {"id": "CVE-2026-33073", "sourceIdentifier": "[email protected]", "published": "2026-03-31T18:16:51.807", "lastModified": "2026-04-10T01:51:54.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across sites within the same multisite cluster. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.1.0", "versionEndExcluding": "2026.1.3", "matchCriteriaId": "F64DA8FA-BC32-4EB9-B508-6425684D3245"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*", "versionStartIncluding": "2026.2.0", "versionEndExcluding": "2026.2.2", "matchCriteriaId": "26546710-17B3-4C72-930F-3BE0AD969127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*", "matchCriteriaId": "DFA536C2-E9D9-4A03-89C2-C344DE682EA1"}]}]}], "references": [{"url": "https://github.com/discourse/discourse/commit/c34f2aac8dcd1ae2886fa84256f607bc003f9d80", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/discourse/discourse/security/advisories/GHSA-f866-8fcp-fgvv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}