CVE-2026-31805

MEDIUM 5.3

Discourse has a poll authorization bypass via post_id array parameter

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

12th

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

CWE	CWE-863 CWE-20
Vendor	discourse
Product	discourse
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for discourse discourse

Be the first to know when new medium vulnerabilities affecting discourse discourse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

discourse / discourse

>= 2026.1.0-latest, < 2026.1.2 >= 2026.2.0-latest, < 2026.2.1 = 2026.3.0-latest.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823 github.com: https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4