Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31805 is an authorization bypass vulnerability in the Discourse poll plugin. It allows authenticated users to perform actions such as voting, removing votes, or toggling the open/closed status on polls they are not authorized to access.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the post_id parameter can be passed as an array, causing the authorization check to validate against a post the user can access, while the poll lookup references a different post's poll. This mismatch enables bypassing access controls on poll-related endpoints."}, {'type': 'paragraph', 'content': 'The affected endpoints are vote, remove_vote, and toggle_status within the DiscoursePoll::PollsController. The issue is fixed in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated user to manipulate polls they should not have access to by voting, removing votes, or changing the poll's open/closed status on other users' posts."}, {'type': 'paragraph', 'content': 'The impact is limited to confidentiality with a low severity score (CVSS 5.3), and there is no impact on integrity or availability. However, unauthorized poll manipulation can affect the trustworthiness and fairness of poll results within the platform.'}, {'type': 'paragraph', 'content': 'There are no known workarounds, so upgrading to the patched versions is necessary to prevent exploitation.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authorization bypass in the Discourse poll plugin where an attacker passes the post_id parameter as an array to manipulate polls they should not access.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system or network, you can monitor HTTP requests to the poll-related endpoints (vote, remove_vote, toggle_status) for suspicious usage of the post_id parameter as an array (e.g., post_id[]=value1&post_id[]=value2).'}, {'type': 'paragraph', 'content': "Commands to detect such attempts could include searching web server logs or proxy logs for requests containing 'post_id[]=' patterns targeting the poll endpoints."}, {'type': 'list_item', 'content': "Use grep or similar tools on your web server access logs to find suspicious requests, for example: grep -E 'post_id\\[\\]=' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': 'Monitor application logs or API request logs for calls to DiscoursePoll::PollsController endpoints with array parameters in post_id.'}, {'type': 'list_item', 'content': 'Set up alerts for unusual voting or poll status changes on posts by users who should not have access.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade your Discourse installation to one of the patched versions: 2026.3.0-latest.1, 2026.2.1, or 2026.1.2.

There are no known workarounds for this vulnerability, so applying the official patch is necessary to prevent unauthorized poll manipulation.

After upgrading, verify that the poll plugin correctly validates the post_id parameter and that unauthorized poll actions are blocked.

Useful 0 Not Useful 0