CVE-2026-27021
Received Received - Intake
Unauthorized Access in Discourse Poll Plugin via Missing Visibility Checks

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27021
EUVD
EUVD-2026-8887
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27021 is a moderate severity vulnerability affecting the Poll plugin in Discourse, an open source discussion platform. The issue occurs because the voters endpoint in the poll plugin did not have proper post visibility checks before certain patched versions. This flaw allows unauthorized users to access details about voters in polls on any post without needing any privileges or user interaction.

Impact Analysis

This vulnerability can impact you by allowing attackers to remotely and without any privileges access confidential voter details from polls on your Discourse platform. Although it does not affect data integrity or system availability, it compromises the confidentiality of user information related to poll participation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to the poll voters endpoint in the Discourse poll plugin due to missing post visibility checks.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring network traffic for unauthorized requests to the poll voters endpoint, especially from unprivileged or unknown sources.'}, {'type': 'paragraph', 'content': 'Since the vulnerability can be exploited remotely without authentication, commands to detect suspicious HTTP requests to the poll voters endpoint could be useful.'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests targeting the poll voters endpoint URL pattern.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture HTTP GET requests to the poll voters endpoint (replace <discourse_server_ip> and <endpoint_path> accordingly):'}, {'type': 'list_item', 'content': "tcpdump -i any -A host <discourse_server_ip> and 'tcp port 80 or 443' | grep 'GET /polls/voters'"}, {'type': 'list_item', 'content': 'Check Discourse server logs for unauthorized access attempts to the poll voters endpoint.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test if the poll voters endpoint is accessible without authentication, e.g.: curl -v http://<discourse_server>/polls/voters?post_id=<id>'}] [1]

Mitigation Strategies

The primary mitigation step is to upgrade the Discourse poll plugin to a patched version.

  • Upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0, which include patches for this vulnerability.

No known workarounds are available, so applying the official patch is critical.

Additionally, monitor access to the poll voters endpoint and restrict network access if possible until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27021. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart