{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-20T03:07:14.755Z", "dateUpdated": "2026-03-20T15:46:27.399Z"}, "containers": {"cna": {"title": "Discourse has a poll authorization bypass via post_id array parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823"}, {"name": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4", "tags": ["x_refsource_MISC"], "url": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4"}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"version": ">= 2026.1.0-latest, < 2026.1.2", "status": "affected"}, {"version": ">= 2026.2.0-latest, < 2026.2.1", "status": "affected"}, {"version": "= 2026.3.0-latest.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:07:14.755Z"}, "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch."}], "source": {"advisory": "GHSA-fgxm-prjv-g823", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:46:18.006150Z", "id": "CVE-2026-31805", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:46:27.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31805", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:46:18.006150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:46:23.076Z"}}], "cna": {"title": "Discourse has a poll authorization bypass via post_id array parameter", "source": {"advisory": "GHSA-fgxm-prjv-g823", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "discourse", "product": "discourse", "versions": [{"status": "affected", "version": ">= 2026.1.0-latest, < 2026.1.2"}, {"status": "affected", "version": ">= 2026.2.0-latest, < 2026.2.1"}, {"status": "affected", "version": "= 2026.3.0-latest.1"}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823", "name": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4", "name": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:07:14.755Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31805", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:46:27.399Z", "dateReserved": "2026-03-09T16:33:42.913Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T03:07:14.755Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0", "versionEndExcluding": "2026.1.2", "versionStartIncluding": "2026.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7", "versionEndExcluding": "2026.2.1", "versionStartIncluding": "2026.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch."}, {"lang": "es", "value": "Discourse es una plataforma de discusi\u00f3n de c\u00f3digo abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, una omisi\u00f3n de autorizaci\u00f3n en el plugin de encuestas permit\u00eda a usuarios autenticados votar en, eliminar votos de, o alternar el estado abierto/cerrado de encuestas a las que no ten\u00edan acceso. Al pasar post_id como un array (p. ej., post_id[]=&amp;post_id[]=), la verificaci\u00f3n de autorizaci\u00f3n se resuelve al post accesible mientras que la b\u00fasqueda de la encuesta se resuelve a la encuesta de un post diferente. Esto afecta a los endpoints vote, remove_vote y toggle_status en DiscoursePoll::PollsController. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche."}], "id": "CVE-2026-31805", "lastModified": "2026-03-24T20:17:35.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T03:15:59.350", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.1.0-latest,2026.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2026.2.0-latest,2026.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2026.3.0-latest.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "discourse", "source": "cna", "vendor": "discourse"}, "product": "discourse", "vendor": "discourse"}], "analysis": {"en": {"generated_at": "2026-03-24T21:32:34.675234+00:00", "value": {"mitigation_remediation": ["Apply the official patch to upgrade to Discourse 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2", "If an immediate upgrade is not possible, restrict poll voting permissions or disable the poll plugin to prevent unauthorized access to poll endpoints", "Monitor user activity for anomalous voting patterns and review poll integrity logs to detect potential abuse"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Poll Manipulation"}, "threat_synthesis": {"affected_systems": "Discourse forums running any version of the platform before 2026.3.0\u2011latest.1, 2026.2.1, or 2026.1.2 are affected. These installations use the DiscoursePoll plugin and have not yet applied the patch that moves the poll lookup into the authorized context. Versions 2026.3.0\u2011latest.1 and earlier that do not include the fix are vulnerable, while the indicated patched releases contain the remediation.", "description_and_impact": "The vulnerability in Discourse\u2019s poll plugin allows an authenticated user to manipulate polls they do not have permission to affect. By submitting the post identifier as an array parameter, the system resolves the authorization check against a reachable post while the poll lookup references a separate post\u2019s poll. This enables voting, removing votes, and toggling the open or closed status of unauthorized polls. The weakness is a combination of improper input validation (CWE\u201120) and flawed authorization checks (CWE\u2011863). The result is the potential for users to corrupt poll results or deny proper moderation control, thereby undermining the integrity of discussions that rely on poll outcomes.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact, while the EPSS probability of exploitation is below 1% and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with any level of access to the forum, who can perform crafted API calls to the vote, remove_vote, or toggle_status endpoints. The post_id array trick allows the attacker to bypass authorization checks. Although the likelihood of widespread use is low, an attacker with legitimate credentials can bias survey results or subvert moderation decisions, constituting a significant risk to any organization that relies on poll integrity."}}}}, "created": "2026-03-20T08:52:54.423574+00:00", "updated": "2026-03-25T14:09:32.649691+00:00", "vendors": ["discourse", "discourse$PRODUCT$discourse"]}