CVE-2026-27021
Unauthorized Access in Discourse Poll Plugin via Missing Visibility Checks
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.1 (exc) |
| discourse | discourse | 2026.2.0 |
| discourse | discourse | to 2025.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27021 is a moderate severity vulnerability affecting the Poll plugin in Discourse, an open source discussion platform. The issue occurs because the voters endpoint in the poll plugin did not have proper post visibility checks before certain patched versions. This flaw allows unauthorized users to access details about voters in polls on any post without needing any privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to remotely and without any privileges access confidential voter details from polls on your Discourse platform. Although it does not affect data integrity or system availability, it compromises the confidentiality of user information related to poll participation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized access to the poll voters endpoint in the Discourse poll plugin due to missing post visibility checks.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring network traffic for unauthorized requests to the poll voters endpoint, especially from unprivileged or unknown sources.'}, {'type': 'paragraph', 'content': 'Since the vulnerability can be exploited remotely without authentication, commands to detect suspicious HTTP requests to the poll voters endpoint could be useful.'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests targeting the poll voters endpoint URL pattern.'}, {'type': 'list_item', 'content': 'Example tcpdump command to capture HTTP GET requests to the poll voters endpoint (replace <discourse_server_ip> and <endpoint_path> accordingly):'}, {'type': 'list_item', 'content': "tcpdump -i any -A host <discourse_server_ip> and 'tcp port 80 or 443' | grep 'GET /polls/voters'"}, {'type': 'list_item', 'content': 'Check Discourse server logs for unauthorized access attempts to the poll voters endpoint.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test if the poll voters endpoint is accessible without authentication, e.g.: curl -v http://<discourse_server>/polls/voters?post_id=<id>'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Discourse poll plugin to a patched version.
- Upgrade to Discourse versions 2025.12.2, 2026.1.1, or 2026.2.0, which include patches for this vulnerability.
No known workarounds are available, so applying the official patch is critical.
Additionally, monitor access to the poll voters endpoint and restrict network access if possible until the patch is applied.