Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Unauthorized access to poll data in Discourse before 2025.12.2, 2026.1.1, and 2026.2.0
CVE-2026-27021
Summary
Older versions of Discourse's poll feature allowed anyone to see who voted in a poll, even if they shouldn't have access to that information. This has been fixed in versions 2025.12.2, 2026.1.1, and 2026.2.0. If you're running an older version, you should update to a patched version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| discourse | discourse | <= 2025.12.0 | – |
| discourse | discourse | > 2026.1.0 , <= 2026.1.1 | – |
| discourse | discourse | 2026.2.0 | – |
Original title
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized...
Original description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
nvd CVSS3.1
5.3
nvd CVSS4.0
6.9
Vulnerability type
CWE-862
Missing Authorization
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026