Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-27021— Discourse: Poll voters endpoint lacked post visibility checks

EPSS 0.02% · P4
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-27021

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Discourse: Poll voters endpoint lacked post visibility checks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Discourse 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Discourse是Discourse开源的一套开源的社区讨论平台。该平台包括社区、电子邮件和聊天室等功能。 Discourse 2025.12.2之前版本、2026.1.1之前版本和2026.2.0之前版本存在安全漏洞,该漏洞源于投票插件中缺少帖子可见性检查,可能导致未授权访问投票者详情。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
discoursediscourse < 2025.12.2 -

II. Public POCs for CVE-2026-27021

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-27021

登录查看更多情报信息。

Same Patch Batch · discourse · 2026-02-26 · 17 CVEs total

CVE-2026-262657.5 HIGHDiscourse has IDOR vulnerability in the directory items endpoint
CVE-2026-260787.5 HIGHDiscourse has authentication bypass vulnerability in the Patreon plugin webhook endpoint
CVE-2026-260776.5 MEDIUMDiscourse doesn't ensure webhooks require a token
CVE-2026-262075.4 MEDIUMDIscourse's discourse-policy plugin lacks post access check
CVE-2026-269734.3 MEDIUMDiscourse doesn't scope reviewable notes to user-visible reviewables
CVE-2026-28227Discourse Vulnerable to Unauthorized Topic Creation in Staff-Only Categories via Topic Tim
CVE-2026-28219Privilege Escalation via Mass Assignment Allows Regular Users to Set Topics as Global Bann
CVE-2026-28218Discourse's Fail-Open Access Control in Data Explorer Plugin Allows Unauthorized SQL Query
CVE-2026-27154Discourse has XSS when editing a malicious post
CVE-2026-27153Discourse doesn't prevent moderators from exporting user Chat DMs
CVE-2026-27152DIscourse has DM communication-preference bypass when adding members
CVE-2026-27162DIscourse doesn't prevent whispers to leak in excerpts
CVE-2026-27151Discourse doesn't validate destination topic when moving posts
CVE-2026-27150Discourse doesn't ensure guardian check when creating QueryGroupBookmark
CVE-2026-27149Discourse has SQL injection in PM tag filtering
CVE-2026-26979Discourse: TL4 users are able to change status of restricted topics

IV. Related Vulnerabilities

Same product: discourse
Same vendor: discourse
Same weakness: CWE-862

V. Comments for CVE-2026-27021

No comments yet

Leave a comment