Medium severity4.3NVD Advisory· Published Mar 31, 2026· Updated Apr 9, 2026

CVE-2026-32619

Description

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic (e.g., removed from a private category group) could still interact with polls in that topic, including voting and toggling poll status. No content was exposed, but users could modify poll state in topics they should no longer have access to. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

Affected products

Discourse (software)/Discourse3 versions
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*+ 2 more
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*
- cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest.1:*:*:*
- cpe:2.3:a:discourse:discourse:*:*:*:*:latest:*:*:*range: >=2026.1.0,<2026.1.3

Patches

d74ff25db994

https://github.com/discourse/discoursevia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/discourse/discourse/commit/d74ff25db994f06aa27e3466684f613b4e986ba6nvdPatch
github.com/discourse/discourse/security/advisories/GHSA-wq58-pvf6-w4p8nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000