Vulnerability Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | >= 2026.1.0, < 2026.1.2 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a4087Patch
- https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823Vendor Advisory
FAQ
What is CVE-2026-31805?
CVE-2026-31805 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove ...
How severe is CVE-2026-31805?
CVE-2026-31805 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-31805?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.