CVE-2026-31805 Overview
CVE-2026-31805 is an authorization bypass vulnerability in the Discourse open-source discussion platform. The vulnerability exists in the poll plugin and allows authenticated users to manipulate polls they should not have access to. By exploiting improper input validation in the post_id parameter, attackers can vote on, remove votes from, or toggle the open/closed status of polls in restricted posts.
Critical Impact
Authenticated users can bypass authorization controls to manipulate polls in posts they cannot access, potentially compromising the integrity of voting results and community decisions.
Affected Products
- Discourse versions prior to 2026.3.0-latest.1
- Discourse versions prior to 2026.2.1
- Discourse versions prior to 2026.1.2
Discovery Timeline
- 2026-03-20 - CVE-2026-31805 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-31805
Vulnerability Analysis
This authorization bypass vulnerability stems from an improper input validation weakness (CWE-20) in the Discourse poll plugin. The vulnerability allows authenticated users to circumvent access controls by exploiting a discrepancy in how the application handles array-based parameter manipulation. When a user submits the post_id parameter as an array (e.g., post_id[]=&post_id[]=), two different resolution paths are triggered: the authorization check resolves to one post while the poll lookup resolves to an entirely different post's poll. This allows attackers to interact with polls in posts they should not be able to access.
Root Cause
The root cause is improper input validation in the DiscoursePoll::PollsController. The controller does not properly validate the type and format of the post_id parameter before processing it. When the parameter is passed as an array, the authorization check and the poll lookup resolve to different posts, creating an authorization bypass condition. This affects the vote, remove_vote, and toggle_status endpoints within the controller.
Attack Vector
The attack requires network access and an authenticated session on the Discourse platform. An attacker can craft HTTP requests to the vulnerable poll endpoints with a specially formatted post_id parameter containing an array structure. By manipulating this parameter, the attacker can target polls in posts they cannot normally view or interact with. The attack requires no user interaction and can be automated to manipulate multiple polls across the platform.
The vulnerability mechanism involves passing malformed array parameters to bypass authorization checks. By submitting requests with post_id[]=&post_id[]= patterns, the authorization logic evaluates against one post while poll operations execute against another. For detailed technical analysis, refer to the GitHub Security Advisory GHSA-fgxm-prjv-g823.
Detection Methods for CVE-2026-31805
Indicators of Compromise
- Unusual patterns in HTTP request logs showing post_id[] array-based parameter submissions to poll endpoints
- Unexpected poll vote modifications on restricted or private category posts
- Authentication logs showing users interacting with polls in posts they have no access permissions for
- Anomalous activity on the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block array-based parameter manipulation attempts targeting poll endpoints
- Monitor application logs for requests containing post_id[]= patterns in poll-related API calls
- Review Discourse audit logs for poll state changes or vote modifications that don't correlate with legitimate user access patterns
- Configure intrusion detection systems to alert on unusual POST request patterns to /polls/ endpoints
Monitoring Recommendations
- Enable detailed request logging on the Discourse application to capture full parameter data
- Set up alerting for failed authorization checks that precede successful poll operations
- Monitor for bulk or automated requests to poll manipulation endpoints
- Review community reports of unexpected poll behavior or results
How to Mitigate CVE-2026-31805
Immediate Actions Required
- Upgrade Discourse to version 2026.3.0-latest.1, 2026.2.1, or 2026.1.2 or later immediately
- Review poll audit logs for signs of unauthorized manipulation prior to patching
- Consider temporarily disabling the poll plugin if immediate upgrade is not possible
- Audit any critical polls conducted during the vulnerable period for integrity
Patch Information
Discourse has released patches addressing this vulnerability in versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The fix ensures proper input validation of the post_id parameter to prevent array-based parameter manipulation. The patch commit is available at the GitHub Commit Update. Organizations should apply the appropriate patch based on their current Discourse branch.
Workarounds
- Temporarily disable the poll plugin via the Discourse admin panel until patching is complete
- Implement WAF rules to reject requests with array-formatted post_id parameters to poll endpoints
- Restrict poll creation and voting to trusted user groups as an interim measure
- Enable additional logging and monitoring on poll-related endpoints to detect exploitation attempts
Administrators can disable the poll plugin by navigating to the Discourse admin settings and locating the poll plugin configuration. Disabling this feature will prevent exploitation but will also remove polling functionality from the platform until patching is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
