If your forum runs on Discourse and uses Patreon for login, you might have been exposed to a critical security issue: CVE-2022-39355. This easy-to-miss vulnerability could allow an attacker to take control over any user’s forum account under the right conditions. In this long-read, we'll break down what went wrong, show code snippets, share how to check if you're vulnerable, and provide guidance for fixing and mitigating the issue.
What is Discourse + Patreon Integration?
Discourse is a widely used open-source forum platform. Many forums use Patreon to give backers exclusive access by linking Discourse groups with Patreon rewards. This is done using the discourse-patreon plugin.
Normally, a user can log in to the Discourse forum using their Patreon account, and their membership level decides which forum groups they're added to. Easy, right? But in late 2022, a critical issue was discovered.
Summary
On forums with Patreon login enabled, an improper authentication vulnerability in the plugin allowed attackers to *take control of accounts* if the victim had logged in using a Patreon account with an unverified email.
The bad logic: the plugin let users log in and associate Discourse accounts with Patreon accounts without checking if the Patreon email was verified.
What could possibly go wrong?
Anyone with an unverified email on Patreon could use it to register or log in to the forum. This could let an attacker claim forum accounts just by making sure their Patreon email matched the victim’s forum email.
Technical Details and Patch Information
The bug was fixed in commit 846d012151514b35ce42a1636c7d70f6dcee879e.
Vulnerable plugin: discourse-patreon
Version fixed: See commit for latest
The commit adds a check to see if the email_verified field on the Patreon account is set to true. If not, login is denied.
Here’s a simplified version of the relevant fix in Ruby
# OLD (vulnerable) code
user = find_or_create_user_from_patron_data(patreon_data)
login_user(user)
# NEW (fixed) code
if patreon_data["email_verified"]
user = find_or_create_user_from_patron_data(patreon_data)
login_user(user)
else
# Deny login if Patreon email not verified
raise "Email not verified via Patreon"
end
Original patch:
See the commit diff here
Attacker creates a Patreon account using that email, without verifying the address.
3. Attacker uses Patreon login on the Discourse forum—no check is done to make sure the Patreon email is verified.
4. Forum sees the matching email and lets the attacker log in as the victim (or links attacker’s Patreon to victim’s account), effectively taking it over.
*No need for a password or any other tricks! If the account was never logged in with verified email, this works seamlessly.*
Here’s what attacking might look like in pseudo steps (not real code)
# Attacker’s actions
1. Register new Patreon account: evil@victim.com
2. DO NOT verify email on Patreon.
3. Go to the Discourse forum with Patreon login.
4. Click "Sign in with Patreon".
5. Login is successful and attacker now can access/claim victim’s account.
Official Patch
Update to the latest version of the discourse-patreon plugin that includes commit 846d012151514b35ce42a1636c7d70f6dcee879e. This will ensure unverified Patreon emails can no longer be used to log in or take over accounts.
After Applying the Patch
- When account holders try to log in and their Patreon email is unverified, they will be asked to verify their email first.
References
- Discourse CVE-2022-39355 GitHub Advisory
- discourse-patreon plugin commit fixing the bug
- Discourse Security Announcements
Closing Thoughts
CVE-2022-39355 is a reminder that every external login integration must carefully check identity—even through trusted partners like Patreon.
If you run a Discourse forum with Patreon enabled, patch now, or risk unwanted account takeovers.
Check your plugin version, update if needed, and make sure your community stays safe!
If in doubt, disable the plugin until you can verify you’re protected.
*For questions, check the official plugin repo or post on Discourse Meta.*
Timeline
Published on: 10/26/2022 20:15:00 UTC
Last modified on: 10/28/2022 19:39:00 UTC