PT-2026-22183 · Discourse · Discourse
Davidtaylorhq
·
Published
2026-02-26
·
Updated
2026-03-03
·
CVE-2026-27021
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Discourse versions prior to 2025.12.2
Discourse versions prior to 2026.1.1
Discourse versions prior to 2026.2.0
Description
Discourse is an open source discussion platform. Before versions 2025.12.2, 2026.1.1, and 2026.2.0, the
voters endpoint within the poll plugin did not have adequate checks for post visibility. This allowed unauthorized access to voter details associated with polls in any post. The voters endpoint is the component affected. No known workarounds are available.Recommendations
Upgrade to Discourse version 2025.12.2 or later.
Upgrade to Discourse version 2026.1.1 or later.
Upgrade to Discourse version 2026.2.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Discourse