Improper access control in Discourse - CVE-2026-31805

 

Improper access control in Discourse - CVE-2026-31805

Published: July 1, 2026


Vulnerability identifier: #VU136137
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-31805
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.

The vulnerability exists due to improper access control in DiscoursePoll::PollsController vote, remove_vote, and toggle_status endpoints when handling a post_id array parameter. A remote attacker can send a specially crafted request with post_id supplied as an array to bypass authorization checks to modify poll state and disclose limited information about inaccessible polls.

The authorization check resolves to an accessible post while the poll lookup resolves to a different post's poll.


How to mitigate CVE-2026-31805

Install security update from vendor's website.

Sources