CVE-2026-31805
Published: 20 March 2026
Summary
CVE-2026-31805 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Discourse Discourse. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authenticated users from bypassing access controls and manipulating unauthorized polls via array parameter tricks.
Validates and sanitizes input parameters like post_id arrays to block improper input handling that decouples authorization checks from poll actions.
Applies least privilege to restrict users to only necessary poll actions, mitigating the impact of authorization bypasses on inaccessible resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing web application (Discourse poll plugin) exploitable via crafted HTTP parameters, directly enabling exploitation of public-facing applications.
NVD Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have…
more
access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch.
Deeper analysisAI
CVE-2026-31805 is an authorization bypass vulnerability in the poll plugin of Discourse, an open-source discussion platform. It affects versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The flaw occurs because passing the post_id parameter as an array (e.g., post_id[]=&post_id[]=) causes the authorization check to resolve to an accessible post, while the poll lookup resolves to a different post's poll. This impacts the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. The vulnerability is associated with CWE-20 (Improper Input Validation) and CWE-863 (Incorrect Authorization), and it has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Authenticated users can exploit this vulnerability over the network with low complexity to manipulate polls they lack access to, such as voting, removing votes, or toggling the open/closed status. The bypass relies on the array parameter trick to decouple authorization from poll actions, allowing unauthorized interference in poll outcomes on affected Discourse instances.
Patches addressing this issue are available in Discourse versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. Security practitioners should upgrade to these versions promptly. Additional details are provided in the GitHub security advisory at https://github.com/discourse/discourse/security/advisories/GHSA-fgxm-prjv-g823 and the patching commit at https://github.com/discourse/discourse/commit/1a6b3cdd8939053f485a60a6ea004a40878392c4.
Details
- CWE(s)