5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
Discourse has a poll authorization bypass via post_id array parameter
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
References
Affected products
- === 2026.3.0-latest.1
- ==>= 2026.2.0-latest, < 2026.2.1
- ==>= 2026.1.0-latest, < 2026.1.2
Matching in nixpkgs
pkgs.discourse
Discourse is an open source discussion platform
pkgs.discourseAllPlugins
Discourse is an open source discussion platform
pkgs.discourse-mail-receiver
Helper program which receives incoming mail for Discourse
pkgs.python312Packages.pydiscourse
Python library for working with Discourse
pkgs.python313Packages.pydiscourse
Python library for working with Discourse
pkgs.python314Packages.pydiscourse
Python library for working with Discourse
pkgs.grafanaPlugins.grafana-discourse-datasource
Allows users to search and view topics, posts, users, tags, categories, and reports on a given Discourse forum through Grafana
Package maintainers
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Dettorer Paul Hervot <paul.hervot@dettorer.net>
-
@nagisa Simonas Kazlauskas <nixpkgs@kazlauskas.me>