CVE-2026-27021 | THREATINT

Description

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

PUBLISHED Reserved 2026-02-17 | Published 2026-02-26 | Updated 2026-02-26 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

< 2025.12.2

affected

>= 2026.1.0-latest, < 2026.1.1

affected

>= 2026.2.0-latest, < 2026.2.0

affected

References

github.com/...course/security/advisories/GHSA-f5m5-9hpw-7c2g

cve.org (CVE-2026-27021)

nvd.nist.gov (CVE-2026-27021)

Download JSON