CVE-2026-31805 MEDIUM

CVE-2026-31805: Discourse has a poll authorization bypass via post_id array parameter

Vendor Discourse
Product discourse
Weakness CWE-863 · Incorrect authorization
Published March 20, 2026
Last update March 20, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 20, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-22316 IBM Sterling File Gateway improper access control CVE-2025-4960 macOS Local Privilege Escalation via Improper Authorization Handling in EPSON Printer Controller Installer CVE-2026-23982 Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass CVE-2026-25963 Fleet: Authorization Bypass in certificate template batch deletion for team administrators CVE-2021-24733 WP Post Page Clone < 1.2 - Unauthorised Post Access