CVE-2026-31805

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2

Description Discourse is an open-source discussion platform. An authorization bypass in the poll plugin allowed authenticated users to perform actions on polls they were not authorized to access. This included voting, removing votes, and changing the open/closed status of polls. The issue occurred because the authorization check and poll lookup used different resolutions when the post id parameter was passed as an array (e.g., post id[]=&post id[]=). This affected the following API endpoints within the DiscoursePoll::PollsController:

/vote
/remove vote
/toggle status The post id parameter is a vulnerable parameter.

Recommendations Update Discourse to version 2026.3.0-latest.1 or later. Update Discourse to version 2026.2.1 or later. Update Discourse to version 2026.1.2 or later.

Exploit

Fix

RCE

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-863

Related Identifiers

BIT-DISCOURSE-2026-31805

CVE-2026-31805

GHSA-FGXM-PRJV-G823

Affected Products

Discourse

CVE-2026-31805

Weakness Enumeration

Related Identifiers

Affected Products

References · 8