Skip to main content

Decidim CVE-2026-45414

HIGH
Improper Authentication (CWE-287)
2026-07-13 https://github.com/decidim/decidim GHSA-r3v7-5x4c-c69q
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Network API with a low-complexity header swap, but requires a valid Org 1 credential (PR:L); scope changes because the credential acts across a tenant boundary, exposing PII (C:H) and a mutation path (I:L), with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:34 vuln.today
Analysis Generated
Jul 13, 2026 - 19:34 vuln.today
CVE Published
Jul 13, 2026 - 17:16 github-advisory
HIGH 8.5

DescriptionGitHub Advisory

Description

A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.

Technical description

The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1.

Reproduction steps:

  1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or

get the JWT token shown in the response when logged in as the organization admin.

<img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" />

  1. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant org2.localhost:3001

<img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" />

Note that using a participant-generated JWT did not allow showing these results.

Impact

A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.

Patches

See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756

Workarounds

Disable JWT credentials on system panel (/system)

References

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Org 1 admin/API JWT
Delivery
Change Host header to Org 2 tenant
Exploit
Replay JWT to Org 2 GraphQL API
Execution
API trusts Org 1 principal in Org 2 context
Persist
Read Org 2 participantDetails and PII
Impact
Reach Org 2 proposal.answer mutation

Vulnerability AssessmentAI

Exploitation The attacker must possess a valid JWT or API key for at least one Decidim organization - either a system-administrator-issued API key assigned to Org 1, or the JWT returned when logged in as an Org 1 organization admin; a participant-generated JWT does NOT yield results, per the advisory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, 8.5) is internally consistent with the description: network-reachable API, low complexity (swap a header), a low-privilege authenticated principal required (a valid Org 1 API key or admin JWT), and a changed scope because the credential authorizes actions under a different security authority (another tenant). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who legitimately operates (or has compromised the credentials of) an admin or API user on Org 1 obtains a JWT - from the admin login response or generated from a system-administrator-issued API key. They send that JWT to the GraphQL API while setting the Host header to org2.localhost, and the API answers in Org 2's context, returning Org 2 participants' personal data and the admin-only participantDetails field and exposing the proposal.answer mutation. …
Remediation Vendor-released patch: upgrade to Decidim 0.31.5, or to 0.32.0 if on the 0.32 release-candidate line; the corresponding fixes are PR https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756, which bind API/JWT authentication to the organization resolved from the request host. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Decidim instances in production and identify which employ multi-tenant configurations with cross-organization data separation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy