Discourse Polls Flaw: Unauthorized State Changes Possible
CVE Notify is flagging a security vulnerability impacting Discourse, the popular open-source discussion platform. The flaw, tracked as CVE-2026-32619, allowed users who had lost access to a specific topic—for example, by being removed from a private category group—to continue interacting with polls within that topic. This included the ability to vote and toggle poll statuses, even though they should have been locked out.
While CVE Notify emphasizes that no sensitive content was exposed, the vulnerability did permit unauthorized modification of poll states. This could lead to manipulation of poll results or confusion within a community, undermining the integrity of discussions. The issue specifically affected Discourse versions ranging from 2026.1.0 up to, but not including, 2026.1.3; 2026.2.0 up to, but not including, 2026.2.2; and 2026.3.0 up to, but not including, 2026.3.0.
Fortunately, this bug has been addressed. Patches are available in Discourse versions 2026.1.3, 2026.2.2, and 2026.3.0. Administrators are strongly advised to update their instances promptly to mitigate this risk.
What This Means For You
- Review Discourse access control configurations for private categories and user group memberships regularly to ensure that revoking access effectively removes all interaction capabilities, not just content viewing.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-32619 | Auth Bypass | Discourse versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. Vulnerability allows users who lost access to a topic to still interact with polls in that topic. |
| CVE-2026-32619 | Privilege Escalation | Discourse versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. Users could modify poll state in topics they should no longer have access to. |