Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32619

CVE-2026-32619: Discourse Auth Bypass Vulnerability

CVE-2026-32619 is an authentication bypass flaw in Discourse that allows users without proper access to interact with polls in restricted topics. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-32619 Overview

CVE-2026-32619 is an authorization bypass vulnerability in Discourse, an open-source discussion platform. The flaw allows users who have lost access to a topic (e.g., through removal from a private category group) to continue interacting with polls in that topic. This includes the ability to vote on polls and toggle poll status, despite the user no longer having legitimate access to the topic content.

Critical Impact

Users can manipulate poll states in topics they should no longer have access to, potentially affecting poll integrity and voting outcomes in private discussions.

Affected Products

  • Discourse versions 2026.1.0-latest to before 2026.1.3
  • Discourse versions 2026.2.0-latest to before 2026.2.2
  • Discourse versions 2026.3.0-latest to before 2026.3.0

Discovery Timeline

  • 2026-03-31 - CVE CVE-2026-32619 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-32619

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization). The core issue lies in the poll plugin's failure to verify topic visibility before processing poll interactions. When a user attempts to vote on a poll or change its status, the application validates user authentication but does not confirm that the user still has permission to view the associated topic.

The authorization gap means that users who previously had access to a private topic (and may have cached knowledge of poll IDs) can continue to interact with those polls even after their access has been revoked. While no content is directly exposed through this vulnerability, the integrity of poll data can be compromised.

Root Cause

The root cause is a missing authorization check in the poll interaction workflow. The poll plugin (plugins/poll/lib/poll.rb) was processing poll votes and status changes without first verifying that the requesting user has visibility rights to the parent topic. This represents an incomplete access control implementation where user-poll relationships were checked but user-topic relationships were not validated.

Attack Vector

The attack vector is network-based and requires an attacker who previously had access to a private topic containing polls. The attacker can:

  1. Identify poll endpoints and poll names from their previous access period
  2. Submit poll interaction requests (votes, status toggles) via the Discourse API
  3. Successfully modify poll state despite lacking current topic access

The attack requires no user interaction and can be performed remotely, though it does require prior knowledge of the topic and poll identifiers.

ruby
# Security patch - Source: GitHub Commit d74ff25db994f06aa27e3466684f613b4e986ba6
# The fix adds topic visibility verification before allowing poll interactions

         return
       end
 
+      # user must be able to see the topic
+      unless guardian.can_see_topic?(post.topic)
+        raise DiscoursePoll::Error.new I18n.t("poll.user_cant_post_in_topic") if raise_errors
+        return
+      end
+
       poll = Poll.find_by(post_id:, name: poll_name)
 
       if !poll

Source: GitHub Commit Update

Detection Methods for CVE-2026-32619

Indicators of Compromise

  • Unexpected poll votes or status changes in private topics
  • Poll interactions from users who have been removed from private category groups
  • API requests to poll endpoints from users without current topic access
  • Anomalous voting patterns or poll manipulation in restricted categories

Detection Strategies

  • Monitor Discourse logs for poll interaction attempts by users not in the topic's access groups
  • Audit poll activity in private categories for votes from non-members
  • Implement custom logging for poll API endpoints to track authorization failures
  • Review access control group membership changes alongside poll activity timelines

Monitoring Recommendations

  • Enable verbose logging for the poll plugin to capture all interaction attempts
  • Set up alerts for poll modifications in sensitive or private categories
  • Regularly audit poll participation lists against current topic access permissions
  • Consider implementing additional server-side logging for failed authorization checks post-patch

How to Mitigate CVE-2026-32619

Immediate Actions Required

  • Upgrade Discourse to patched versions: 2026.1.3, 2026.2.2, or 2026.3.0
  • Review recent poll activity in private categories for potential unauthorized modifications
  • Audit user group membership changes and correlate with poll interactions
  • Consider temporarily disabling polls in highly sensitive private categories until patched

Patch Information

Discourse has released security patches addressing this vulnerability. The fix adds a topic visibility check (guardian.can_see_topic?) before allowing any poll interactions. Users should upgrade to the following versions:

  • Version 2026.1.3 for the 2026.1.x branch
  • Version 2026.2.2 for the 2026.2.x branch
  • Version 2026.3.0 for the 2026.3.x branch

For detailed patch information, refer to the GitHub Security Advisory GHSA-wq58-pvf6-w4p8 and the commit d74ff25db994f06aa27e3466684f613b4e986ba6.

Workarounds

  • Temporarily disable the poll plugin in environments where immediate patching is not possible
  • Restrict poll creation to trusted staff members in sensitive categories
  • Manually reset polls that may have been affected by unauthorized interactions
  • Implement web application firewall (WAF) rules to rate-limit poll API endpoints
bash
# Configuration example - Disable polls plugin temporarily via Discourse CLI
cd /var/discourse
./launcher enter app
rails c
# Disable poll plugin
SiteSetting.poll_enabled = false
exit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.