CVE-2026-27021

EUVD-2026-8887
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
discoursediscourse
𝑥
< 2025.12.0
discoursediscourse
2026.1.0 ≤
𝑥
< 2026.1.1
discoursediscourse
2026.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/discourse/discourse/security/advisories/GHSA-f5m5-9hpw-7c2g