Cyber Posture

CVE-2026-31805

Medium

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 27.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have…

more

access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent authenticated users from bypassing access controls and manipulating unauthorized polls via array parameter tricks.

SI-10 Information Input Validation good match
prevent

Validates and sanitizes input parameters like post_id arrays to block improper input handling that decouples authorization checks from poll actions.

AC-6 Least Privilege partial match
prevent

Applies least privilege to restrict users to only necessary poll actions, mitigating the impact of authorization bypasses on inaccessible resources.

Security SummaryAI

CVE-2026-31805 is an authorization bypass vulnerability in the poll plugin of Discourse, an open-source discussion platform. It affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The flaw occurs because passing the post_id parameter as an array (e.g., post_id[]=&post_id[]=) causes the authorization check to resolve to an accessible post, while the poll lookup resolves to a different post's poll. This impacts the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. The vulnerability is associated with CWE-20 (Improper Input Validation) and CWE-863 (Incorrect Authorization), and it has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Authenticated users can exploit this vulnerability over the network with low complexity to manipulate polls they lack access to, such as voting, removing votes, or toggling the open/closed status. The bypass relies on the array parameter trick to decouple authorization from poll actions, allowing unauthorized interference in poll outcomes on affected Discourse instances.

Patches addressing this issue are available in Discourse versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Security practitioners should upgrade to these versions promptly. Additional details are provided in the GitHub security advisory at https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823 and the patching commit at https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4.

Details

CWE(s)
CWE-20CWE-863

Affected Products

discourse
discourse
2026.3.0 · 2026.1.0 — 2026.1.2 · 2026.2.0 — 2026.2.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an authorization bypass in a public-facing web application (Discourse poll plugin) exploitable via crafted HTTP parameters, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References