The vulnerability in Discourse’s poll plugin allows an authenticated user to manipulate polls they do not have permission to affect. By submitting the post identifier as an array parameter, the system resolves the authorization check against a reachable post while the poll lookup references a separate post’s poll. This enables voting, removing votes, and toggling the open or closed status of unauthorized polls. The weakness is a combination of improper input validation (CWE‑20) and flawed authorization checks (CWE‑863). The result is the potential for users to corrupt poll results or deny proper moderation control, thereby undermining the integrity of discussions that rely on poll outcomes.

Discourse forums running any version of the platform before 2026.3.0‑latest.1, 2026.2.1, or 2026.1.2 are affected. These installations use the DiscoursePoll plugin and have not yet applied the patch that moves the poll lookup into the authorized context. Versions 2026.3.0‑latest.1 and earlier that do not include the fix are vulnerable, while the indicated patched releases contain the remediation.

The CVSS score of 5.3 indicates a moderate impact, while the EPSS probability of exploitation is below 1% and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with any level of access to the forum, who can perform crafted API calls to the vote, remove_vote, or toggle_status endpoints. The post_id array trick allows the attacker to bypass authorization checks. Although the likelihood of widespread use is low, an attacker with legitimate credentials can bias survey results or subvert moderation decisions, constituting a significant risk to any organization that relies on poll integrity.