CVE-2026-40869
Authorization Bypass in Decidim Allows Amendment Manipulation
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| decidim | decidim | From 0.31.0 (inc) to 0.31.1 (exc) |
| decidim | decidim | From 0.19.0 (inc) to 0.30.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40869 is a vulnerability in the Decidim participatory democracy framework affecting versions from 0.19.0 up to but not including 0.30.5 and 0.31.1.
The flaw allows any registered and authenticated user to accept or reject amendments on proposals where the amendments feature is enabled, without proper authorization checks.
This unauthorized action elevates the acting user to the author of the original proposal because users who amend proposals are granted coauthorship on coauthorable resources.
The vulnerability exists because the only permission check is whether amendment reactions are enabled for the component, which is insufficient to prevent unauthorized acceptance or rejection of amendments.
Versions 0.30.5 and 0.31.1 fix this issue, and a recommended workaround is to disable amendment reactions for components that allow amendments, such as proposals.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing any registered and authenticated user to modify the status of amendments on proposals without proper authorization.
Such unauthorized acceptance or rejection of amendments can lead to integrity issues, as the user performing the action is elevated to the author of the original proposal.
This means that the original authorship of proposals can be tampered with, potentially misleading stakeholders about who created or approved content.
The vulnerability has a high severity score (CVSS 7.5) due to its ease of exploitation over the network without requiring special privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized acceptance or rejection of amendments by any registered and authenticated user in Decidim versions 0.19.0 up to but not including 0.30.5 and 0.31.1. Detection involves verifying if your Decidim instance is running a vulnerable version and if the amendments feature is enabled on components such as proposals.
Since the vulnerability is related to application-level permissions and behavior, detection on the network or system level is limited. However, you can check the Decidim version installed and inspect whether amendment reactions are enabled in your configuration.
- Check Decidim version by running: `bundle list | grep decidim` or inspecting your Gemfile.lock for the decidim-core version.
- Review your Decidim configuration files or admin interface to see if amendment reactions are enabled for components like proposals.
- Audit application logs for unexpected amendment acceptance or rejection actions performed by users who should not have such permissions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to disable amendment reactions for any amendable components, such as proposals, in your Decidim instance. This prevents unauthorized users from accepting or rejecting amendments.
Additionally, upgrade your Decidim installation to version 0.30.5 or 0.31.1 or later, where this vulnerability is fixed.
Until patches are applied, restricting amendment reactions is the recommended workaround to avoid unauthorized modification of proposal authorship.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any registered and authenticated user to accept or reject amendments on proposals without proper authorization, effectively elevating their status to the author of the original proposal. This unauthorized modification impacts the integrity of proposal authorship.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized alteration of authorship and potential misattribution of user actions could raise concerns regarding data integrity and accountability, which are important aspects of such regulations.
Organizations using affected versions of Decidim should consider this vulnerability as a risk to the integrity and traceability of user-generated content, which may indirectly affect compliance with regulations that require accurate user action records and protection against unauthorized modifications.