CVE-2026-27021

MEDIUM WAF: Low

CVSS 5.3 Published: 2026-02-26

CWE-862

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.

WAF Coverage Analysis

Missing Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

Vendor	Product	Version
discourse	discourse	up to 2025.12.0
discourse	discourse	2026.1.0 - 2026.1.1
discourse	discourse	2026.2.0

References

github.com (Vendor Advisory)

Back to CVE Database