Skip to main content

CVE-2026-40869

HIGH
Incorrect Privilege Assignment (CWE-266)
2026-04-14 https://github.com/decidim/decidim GHSA-w5xj-99cg-rccm
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 00:20 vuln.today
Analysis Generated
Apr 15, 2026 - 21:15 vuln.today
Patch released
Apr 15, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 14, 2026 - 22:22 nvd
HIGH 7.5

DescriptionGitHub Advisory

Impact

The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources.

The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component: https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107

The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected.

Patches

Not available

Workarounds

Disable amendment reactions for the amendable component (e.g. proposals).

AnalysisAI

Authorization bypass in Decidim Core allows any authenticated user to accept or reject amendments on proposals belonging to other users, effectively hijacking proposal authorship. Affects decidim-core gem versions 0.19.0 and later. The flaw stems from insufficient permission checks (CWE-266) that only verify if amendment reactions are enabled at the component level, not whether the user owns the proposal. CVSS 7.5 (High) reflects network-based integrity impact, though the PR:N (no privileges required) rating appears inconsistent with the description stating 'registered and authenticated user' - this discrepancy should be verified with the vendor. No patch version identified in available data; vendor advisory recommends disabling amendment reactions as a workaround. No active exploitation (CISA KEV) or public POC reported at time of analysis.

Technical ContextAI

Decidim is an open-source participatory democracy platform built on Ruby on Rails, distributed as RubyGems packages. The vulnerability exists in the decidim-core component's permission system (decidim-core/app/permissions/decidim/permissions.rb). The flaw is rooted in CWE-266 (Incorrect Privilege Assignment), where authorization logic checks only whether amendment reactions are globally enabled for a component rather than validating ownership of the amendable resource. When a user accepts an amendment to another user's proposal, the platform grants them coauthorship status, effectively allowing privilege escalation from authenticated user to proposal author. This represents a horizontal privilege escalation where users can modify resources belonging to peers at the same privilege level. The issue was introduced in commit 1b99136 (version 0.19.0) during a refactoring of permission checks. The amendable/amendment pattern is common in collaborative platforms but requires proper subject-object authorization, which was omitted here.

RemediationAI

Vendor advisory recommends disabling amendment reactions for amendable components (e.g., proposals) as the primary mitigation until a patch is released. In Decidim admin interface, navigate to the affected component settings and toggle off amendment reactions functionality. This workaround prevents all users from proposing or accepting amendments, which may disrupt collaborative workflows but eliminates the authorization bypass risk. Trade-off: Organizations relying on amendments for participatory processes will lose this feature until patched. The commit reference https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9 points to the code change that introduced the vulnerability, not a fix - no released patched version has been identified in the available data. Monitor the GitHub advisory GHSA-w5xj-99cg-rccm for patch release announcements. Compensating control: Implement enhanced audit logging for amendment acceptance events and establish a review process for suspicious authorship changes, though this is detective rather than preventive. Consider restricting amendment features to trusted user groups via custom authorization handlers if business requirements prevent full disablement.

Share

CVE-2026-40869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy