Executive Summary

This vulnerability affects the Discourse discussion platform in certain versions before they were patched. It occurs because users who have lost access to a topic, such as being removed from a private category group, could still interact with polls within that topic. Specifically, these unauthorized users could vote in polls and change poll statuses even though they should no longer have access to that topic.

No actual topic content was exposed through this vulnerability, but the ability to modify poll states represents unauthorized manipulation of the platform.

The issue was fixed by adding checks to ensure that users can only interact with polls if they still have visibility of the topic.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing users who should no longer have access to certain private topics to still influence poll results within those topics. They could vote or toggle poll statuses, which could distort poll outcomes and affect decision-making or community feedback processes.

While no confidential content is exposed, the unauthorized manipulation of poll states could undermine trust in the integrity of polls and the platform's access controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized users interacting with polls in topics they no longer have access to, such as voting or toggling poll status. Detection would involve monitoring for poll interactions by users who have lost access to the associated private categories or topics.

Since the issue is related to insufficient topic visibility checks in the DiscoursePoll plugin, detection could include reviewing application logs or API request logs for poll interactions by users who should not have access.

No specific commands are provided in the available resources, but suggested approaches include:

• Querying Discourse database or logs for poll votes or status changes made by users removed from private category groups.
• Using Discourse API logs to identify poll toggle or vote actions by users without current access to the topic.
• Implementing custom scripts or queries to cross-reference user group memberships with poll interactions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Discourse to one of the patched versions where this vulnerability is fixed.

• Upgrade to Discourse version 2026.1.3 or later in the 2026.1.x series.
• Upgrade to Discourse version 2026.2.2 or later in the 2026.2.x series.
• Upgrade to Discourse version 2026.3.0 or later.

These updates include a fix that enforces topic visibility checks before allowing poll interactions, preventing unauthorized users from modifying poll states.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows users who have lost access to a topic to still interact with polls within that topic, including voting and toggling poll status, without exposing any content.

Although no content exposure occurred, the unauthorized ability to modify poll states in restricted topics represents a form of unauthorized manipulation.

There is no direct information in the provided context or resources about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0