{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-20T03:07:14.755Z", "dateUpdated": "2026-03-20T03:07:14.755Z"}, "containers": {"cna": {"title": "Discourse has a poll authorization bypass via post_id array parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823"}, {"name": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:07:14.755Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch."}], "source": {"advisory": "GHSA-fgxm-prjv-g823", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch."}], "id": "CVE-2026-31805", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:15:59.350", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4"}, {"source": "security-advisories@github.com", "url": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-20T04:20:28.082108+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to Discourse 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 or newer."], "summary": {"action": "Patch Now", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source discussion platform Discourse (product discourse:discourse). Versions prior to 2026.3.0\u2011latest.1, 2026.2.1, and 2026.1.2 are vulnerable. Those versions contain a patch, so all releases older than the specified patch versions are impacted.", "description_and_impact": "This vulnerability allows an authenticated user to bypass poll authorization in the Discourse poll plugin by sending the post_id parameter as an array. The authorization check resolves to a post that the user can access while the poll lookup resolves to a different post\u2019s poll. As a result, the attacker can vote on, remove votes from, or toggle the open/closed status of polls they are not authorized to modify. The weakness stems from improper input validation (CWE\u201120) and incomplete access control (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers need only authenticate to the site and call the vote, remove_vote, or toggle_status endpoints with a crafted post_id array to manipulate polls beyond their access rights. Due to the lack of external constraints and the straightforward API interaction, the likelihood of exploitation is considered moderate to high for environments where user authentication is possible."}}}}, "created": "2026-03-20T08:52:54.423574+00:00", "updated": "2026-03-20T10:37:36.997587+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}