CVE-2026-40869
HIGH
GHSA-w5xj-99cg-rccm
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Impact
The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources.
The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component: https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected.
Patches
Not available
Workarounds
Disable amendment reactions for the amendable component (e.g. proposals).
AnalysisAI
Authorization bypass in Decidim Core allows any authenticated user to accept or reject amendments on proposals belonging to other users, effectively hijacking proposal authorship. Affects decidim-core gem versions 0.19.0 and later. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Decidim Core instances and document current versions in use. Within 7 days: Contact the Decidim vendor to obtain the specific patched version and apply patch to all affected decidim-core gem instances (0.19.0 and later). …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today