Improper access control in Discourse - CVE-2026-32619

 

Improper access control in Discourse - CVE-2026-32619

Published: July 1, 2026


Vulnerability identifier: #VU136148
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32619
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Civilized Discourse Construction Kit, Inc.
Affected software:
Discourse

Detailed vulnerability description

The vulnerability allows a remote user to modify poll state in topics they should no longer have access to.

The vulnerability exists due to improper access control in poll handling for private category topics when processing poll interactions after topic access has been revoked. A remote user can vote in polls or toggle poll status to modify poll state in topics they should no longer have access to.

No topic content is exposed. Exploitation requires that the user previously had access to the topic and later lost that access.


How to mitigate CVE-2026-32619

Install security update from vendor's website.

Sources