Improper access control in Discourse - CVE-2026-31805
Published: July 1, 2026
Discourse
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.
The vulnerability exists due to improper access control in DiscoursePoll::PollsController vote, remove_vote, and toggle_status endpoints when handling a post_id array parameter. A remote attacker can send a specially crafted request with post_id supplied as an array to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.
The authorization check resolves to an accessible post while the poll lookup resolves to a different post's poll.