Discourse
Moderate fix3 remedies
cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*
Moderate fix3 remedies
- >= 2026.1.0-latest, < 2026.1.3
- >= 2026.2.0-latest, < 2026.2.2
- >= 2026.3.0-latest, < 2026.3.0
Discourse Poll Manipulation Vulnerability in Private Topics
Vulnerability
Patched
A vulnerability in Discourse allows users to interact with polls in private topics they no longer have access to. This issue affects Discourse versions 2026.1.0-latest to prior to 2026.1.3, 2026.2.0-latest to prior to 2026.2.2, and 2026.3.0-latest to prior to 2026.3.0. The vulnerability arises when users are removed from a private category group but can still vote and toggle poll status via the API, potentially modifying poll states inappropriately.
Impact
Exploitation of this vulnerability allows unauthorized users to manipulate poll interactions, such as voting and changing poll statuses, in private topics they should not have access to.
Reproduction
To reproduce this vulnerability, a user must be a member of a private category group with access to a topic that contains a poll. After interacting with the poll, the user can be removed from the group, which should revoke their access to the topic. However, the user can still toggle the poll status or vote in the poll via the Discourse API, indicating that the access control is not properly enforced.
Remediation
Users are advised to upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0.
Added: Mar 31, 2026, 6:42 PM
Updated: Mar 31, 2026, 6:42 PM
Vulnerability Rating
Custom Algorithm
spread
2.4impact
0.6exploitability
3.9remediation
7.7relevance
5.0threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.