CVE-2026-31805 in Discourse
Summary
by MITRE • 03/20/2026
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
This vulnerability represents a critical authorization bypass flaw in the Discourse discussion platform's poll plugin functionality. The issue stems from a fundamental mismatch in how the system processes post identifiers when handling array-based parameters, creating a pathway for authenticated users to manipulate poll operations on posts they should not have access to. The vulnerability specifically affects the DiscoursePoll::PollsController endpoints including vote, remove_vote, and toggle_status operations, where the authorization logic fails to properly validate access rights when post_id parameters are submitted as arrays. This authorization bypass allows malicious actors to perform unauthorized actions on polls within posts they do not own or have permissions to access, effectively undermining the platform's access control mechanisms.
The technical implementation of this vulnerability exploits a parameter handling inconsistency within the poll plugin's backend logic. When an authenticated user submits a post_id parameter as an array format such as post_id[]=&post_id[]=, the system's authorization check resolves to the first accessible post in the array while the poll lookup operation resolves to a different post's poll data. This discrepancy occurs because the authorization verification process and the poll data retrieval process handle array parameters differently, creating a temporal or logical gap where access control is bypassed. The vulnerability is particularly dangerous because it leverages the legitimate array parameter functionality of web applications while exploiting a flaw in the validation process, making it difficult to detect through standard security monitoring mechanisms. This type of vulnerability is categorized under CWE-285: Improper Authorization, which specifically addresses situations where authorization checks fail to properly validate user permissions.
The operational impact of this vulnerability extends beyond simple unauthorized poll manipulation to potentially compromise the integrity of discussion threads and community engagement metrics. Attackers could manipulate poll results by voting on polls in posts they don't own, remove legitimate votes from polls they shouldn't access, or toggle poll statuses to prevent legitimate users from participating in discussions. This could lead to skewed community feedback, manipulation of discussion outcomes, and potential disruption of platform functionality. The vulnerability affects the core polling functionality of Discourse, which is commonly used for community decision-making, feedback collection, and engagement tracking. Organizations relying on Discourse for community management, customer feedback, or internal discussion platforms face significant risks of data integrity compromise and potential manipulation of community-driven processes. The attack vector is relatively simple to execute, requiring only basic knowledge of web application parameter manipulation techniques and access to authenticated user accounts.
The patch implemented in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 addresses this vulnerability by strengthening the parameter validation logic within the poll plugin's controller. The fix ensures that when array parameters are submitted, both the authorization check and the poll data lookup operations use consistent post identification methods, preventing the bypass scenario where different posts are referenced in the two validation processes. This remediation aligns with the principle of least privilege and proper access control implementation as outlined in cybersecurity best practices. Organizations should prioritize updating their Discourse installations to the patched versions immediately, as the vulnerability could be exploited by malicious users with legitimate access to the platform. The fix demonstrates the importance of thorough parameter validation in web applications, particularly when dealing with array-based inputs that can create unexpected logical flows. Security teams should also implement monitoring for unusual poll activity patterns and parameter usage that might indicate exploitation attempts, as this vulnerability could be leveraged as part of broader attack campaigns targeting community platforms. The vulnerability's classification under ATT&CK technique T1078.004 (Valid Accounts: SSH) and T1566.001 (Phishing: Spearphishing Attachment) highlights the potential for exploitation through compromised user accounts, emphasizing the need for comprehensive security monitoring and access control verification across all platform components.