Discourse Poll Plugin Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in the Discourse poll plugin, affecting versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability allows authenticated users to vote on, remove votes from, or change the open/closed status of polls they do not have permission to access. This issue arises because the authorization check can be manipulated by sending the post_id parameter as an array, causing the system to reference a different post's poll. The vulnerability impacts the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController.

Impact

Exploitation of this vulnerability allows for unauthorized voting actions on polls, including adding votes, removing votes, and toggling the status of polls between open and closed.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the vote, remove_vote, or toggle_status endpoints in the DiscoursePoll::PollsController. The post_id parameter should be included as an array, with one value corresponding to a post the user has access to and another value corresponding to a post the user does not have access to. This will bypass the authorization check and allow the user to manipulate the poll as if it were their own.

Remediation

Users are advised to upgrade to Discourse versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, all of which include the necessary patch.