CVE-2026-40869
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources.
The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component: https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected.
Patches
Not available
Workarounds
Disable amendment reactions for the amendable component (e.g. proposals).
AnalysisAI
Authorization bypass in Decidim Core allows any authenticated user to accept or reject amendments on proposals belonging to other users, effectively hijacking proposal authorship. Affects decidim-core gem versions 0.19.0 and later. The flaw stems from insufficient permission checks (CWE-266) that only verify if amendment reactions are enabled at the component level, not whether the user owns the proposal. CVSS 7.5 (High) reflects network-based integrity impact, though the PR:N (no privileges required) rating appears inconsistent with the description stating 'registered and authenticated user' - this discrepancy should be verified with the vendor. No patch version identified in available data; vendor advisory recommends disabling amendment reactions as a workaround. No active exploitation (CISA KEV) or public POC reported at time of analysis.
Technical ContextAI
Decidim is an open-source participatory democracy platform built on Ruby on Rails, distributed as RubyGems packages. The vulnerability exists in the decidim-core component's permission system (decidim-core/app/permissions/decidim/permissions.rb). The flaw is rooted in CWE-266 (Incorrect Privilege Assignment), where authorization logic checks only whether amendment reactions are globally enabled for a component rather than validating ownership of the amendable resource. When a user accepts an amendment to another user's proposal, the platform grants them coauthorship status, effectively allowing privilege escalation from authenticated user to proposal author. This represents a horizontal privilege escalation where users can modify resources belonging to peers at the same privilege level. The issue was introduced in commit 1b99136 (version 0.19.0) during a refactoring of permission checks. The amendable/amendment pattern is common in collaborative platforms but requires proper subject-object authorization, which was omitted here.
RemediationAI
Vendor advisory recommends disabling amendment reactions for amendable components (e.g., proposals) as the primary mitigation until a patch is released. In Decidim admin interface, navigate to the affected component settings and toggle off amendment reactions functionality. This workaround prevents all users from proposing or accepting amendments, which may disrupt collaborative workflows but eliminates the authorization bypass risk. Trade-off: Organizations relying on amendments for participatory processes will lose this feature until patched. The commit reference https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9 points to the code change that introduced the vulnerability, not a fix - no released patched version has been identified in the available data. Monitor the GitHub advisory GHSA-w5xj-99cg-rccm for patch release announcements. Compensating control: Implement enhanced audit logging for amendment acceptance events and establish a review process for suspicious authorship changes, though this is detective rather than preventive. Consider restricting amendment features to trusted user groups via custom authorization handlers if business requirements prevent full disablement.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w5xj-99cg-rccm