CVE-2026-32619 Overview
CVE-2026-32619 is an authorization bypass vulnerability in Discourse, an open-source discussion platform. The flaw allows users who have lost access to a topic (e.g., through removal from a private category group) to continue interacting with polls in that topic. This includes the ability to vote on polls and toggle poll status, despite the user no longer having legitimate access to the topic content.
Critical Impact
Users can manipulate poll states in topics they should no longer have access to, potentially affecting poll integrity and voting outcomes in private discussions.
Affected Products
- Discourse versions 2026.1.0-latest to before 2026.1.3
- Discourse versions 2026.2.0-latest to before 2026.2.2
- Discourse versions 2026.3.0-latest to before 2026.3.0
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-32619 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-32619
Vulnerability Analysis
This vulnerability is classified under CWE-285 (Improper Authorization). The core issue lies in the poll plugin's failure to verify topic visibility before processing poll interactions. When a user attempts to vote on a poll or change its status, the application validates user authentication but does not confirm that the user still has permission to view the associated topic.
The authorization gap means that users who previously had access to a private topic (and may have cached knowledge of poll IDs) can continue to interact with those polls even after their access has been revoked. While no content is directly exposed through this vulnerability, the integrity of poll data can be compromised.
Root Cause
The root cause is a missing authorization check in the poll interaction workflow. The poll plugin (plugins/poll/lib/poll.rb) was processing poll votes and status changes without first verifying that the requesting user has visibility rights to the parent topic. This represents an incomplete access control implementation where user-poll relationships were checked but user-topic relationships were not validated.
Attack Vector
The attack vector is network-based and requires an attacker who previously had access to a private topic containing polls. The attacker can:
- Identify poll endpoints and poll names from their previous access period
- Submit poll interaction requests (votes, status toggles) via the Discourse API
- Successfully modify poll state despite lacking current topic access
The attack requires no user interaction and can be performed remotely, though it does require prior knowledge of the topic and poll identifiers.
# Security patch - Source: GitHub Commit d74ff25db994f06aa27e3466684f613b4e986ba6
# The fix adds topic visibility verification before allowing poll interactions
return
end
+ # user must be able to see the topic
+ unless guardian.can_see_topic?(post.topic)
+ raise DiscoursePoll::Error.new I18n.t("poll.user_cant_post_in_topic") if raise_errors
+ return
+ end
+
poll = Poll.find_by(post_id:, name: poll_name)
if !poll
Source: GitHub Commit Update
Detection Methods for CVE-2026-32619
Indicators of Compromise
- Unexpected poll votes or status changes in private topics
- Poll interactions from users who have been removed from private category groups
- API requests to poll endpoints from users without current topic access
- Anomalous voting patterns or poll manipulation in restricted categories
Detection Strategies
- Monitor Discourse logs for poll interaction attempts by users not in the topic's access groups
- Audit poll activity in private categories for votes from non-members
- Implement custom logging for poll API endpoints to track authorization failures
- Review access control group membership changes alongside poll activity timelines
Monitoring Recommendations
- Enable verbose logging for the poll plugin to capture all interaction attempts
- Set up alerts for poll modifications in sensitive or private categories
- Regularly audit poll participation lists against current topic access permissions
- Consider implementing additional server-side logging for failed authorization checks post-patch
How to Mitigate CVE-2026-32619
Immediate Actions Required
- Upgrade Discourse to patched versions: 2026.1.3, 2026.2.2, or 2026.3.0
- Review recent poll activity in private categories for potential unauthorized modifications
- Audit user group membership changes and correlate with poll interactions
- Consider temporarily disabling polls in highly sensitive private categories until patched
Patch Information
Discourse has released security patches addressing this vulnerability. The fix adds a topic visibility check (guardian.can_see_topic?) before allowing any poll interactions. Users should upgrade to the following versions:
- Version 2026.1.3 for the 2026.1.x branch
- Version 2026.2.2 for the 2026.2.x branch
- Version 2026.3.0 for the 2026.3.x branch
For detailed patch information, refer to the GitHub Security Advisory GHSA-wq58-pvf6-w4p8 and the commit d74ff25db994f06aa27e3466684f613b4e986ba6.
Workarounds
- Temporarily disable the poll plugin in environments where immediate patching is not possible
- Restrict poll creation to trusted staff members in sensitive categories
- Manually reset polls that may have been affected by unauthorized interactions
- Implement web application firewall (WAF) rules to rate-limit poll API endpoints
# Configuration example - Disable polls plugin temporarily via Discourse CLI
cd /var/discourse
./launcher enter app
rails c
# Disable poll plugin
SiteSetting.poll_enabled = false
exit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
