CVE-2026-40869
Received Received - Intake
Authorization Bypass in Decidim Allows Amendment Manipulation

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40869
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
decidim decidim From 0.31.0 (inc) to 0.31.1 (exc)
decidim decidim From 0.19.0 (inc) to 0.30.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40869 is a vulnerability in the Decidim participatory democracy framework affecting versions from 0.19.0 up to but not including 0.30.5 and 0.31.1.

The flaw allows any registered and authenticated user to accept or reject amendments on proposals where the amendments feature is enabled, without proper authorization checks.

This unauthorized action elevates the acting user to the author of the original proposal because users who amend proposals are granted coauthorship on coauthorable resources.

The vulnerability exists because the only permission check is whether amendment reactions are enabled for the component, which is insufficient to prevent unauthorized acceptance or rejection of amendments.

Versions 0.30.5 and 0.31.1 fix this issue, and a recommended workaround is to disable amendment reactions for components that allow amendments, such as proposals.

Impact Analysis

This vulnerability can impact you by allowing any registered and authenticated user to modify the status of amendments on proposals without proper authorization.

Such unauthorized acceptance or rejection of amendments can lead to integrity issues, as the user performing the action is elevated to the author of the original proposal.

This means that the original authorship of proposals can be tampered with, potentially misleading stakeholders about who created or approved content.

The vulnerability has a high severity score (CVSS 7.5) due to its ease of exploitation over the network without requiring special privileges or user interaction.

Detection Guidance

This vulnerability involves unauthorized acceptance or rejection of amendments by any registered and authenticated user in Decidim versions 0.19.0 up to but not including 0.30.5 and 0.31.1. Detection involves verifying if your Decidim instance is running a vulnerable version and if the amendments feature is enabled on components such as proposals.

Since the vulnerability is related to application-level permissions and behavior, detection on the network or system level is limited. However, you can check the Decidim version installed and inspect whether amendment reactions are enabled in your configuration.

  • Check Decidim version by running: `bundle list | grep decidim` or inspecting your Gemfile.lock for the decidim-core version.
  • Review your Decidim configuration files or admin interface to see if amendment reactions are enabled for components like proposals.
  • Audit application logs for unexpected amendment acceptance or rejection actions performed by users who should not have such permissions.
Mitigation Strategies

The immediate mitigation step is to disable amendment reactions for any amendable components, such as proposals, in your Decidim instance. This prevents unauthorized users from accepting or rejecting amendments.

Additionally, upgrade your Decidim installation to version 0.30.5 or 0.31.1 or later, where this vulnerability is fixed.

Until patches are applied, restricting amendment reactions is the recommended workaround to avoid unauthorized modification of proposal authorship.

Compliance Impact

The vulnerability allows any registered and authenticated user to accept or reject amendments on proposals without proper authorization, effectively elevating their status to the author of the original proposal. This unauthorized modification impacts the integrity of proposal authorship.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized alteration of authorship and potential misattribution of user actions could raise concerns regarding data integrity and accountability, which are important aspects of such regulations.

Organizations using affected versions of Decidim should consider this vulnerability as a risk to the integrity and traceability of user-generated content, which may indirectly affect compliance with regulations that require accurate user action records and protection against unauthorized modifications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40869. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart