Decidim CVE-2026-45414
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Network API with a low-complexity header swap, but requires a valid Org 1 credential (PR:L); scope changes because the credential acts across a tenant boundary, exposing PII (C:H) and a mutation path (I:L), with no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Description
A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.
Technical description
The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1.
Reproduction steps:
- Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or
get the JWT token shown in the response when logged in as the organization admin.
<img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" />
- When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant
org2.localhost:3001
<img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" />
Note that using a participant-generated JWT did not allow showing these results.
Impact
A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.
Patches
See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756
Workarounds
Disable JWT credentials on system panel (/system)
References
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
AnalysisAI
Cross-tenant authentication bypass in Decidim (the Ruby-on-Rails participatory-democracy platform) lets a JWT issued in one organization (tenant) be replayed against a second organization's GraphQL API by simply changing the HTTP Host header. An authenticated Org 1 principal (admin or API user) can then read Org 2's admin-only participantDetails field, harvest Org 2 participant personal data, and reach Org 2's proposal.answer mutation path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid JWT or API key for at least one Decidim organization - either a system-administrator-issued API key assigned to Org 1, or the JWT returned when logged in as an Org 1 organization admin; a participant-generated JWT does NOT yield results, per the advisory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, 8.5) is internally consistent with the description: network-reachable API, low complexity (swap a header), a low-privilege authenticated principal required (a valid Org 1 API key or admin JWT), and a changed scope because the credential authorizes actions under a different security authority (another tenant). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who legitimately operates (or has compromised the credentials of) an admin or API user on Org 1 obtains a JWT - from the admin login response or generated from a system-administrator-issued API key. They send that JWT to the GraphQL API while setting the Host header to org2.localhost, and the API answers in Org 2's context, returning Org 2 participants' personal data and the admin-only participantDetails field and exposing the proposal.answer mutation. … |
| Remediation | Vendor-released patch: upgrade to Decidim 0.31.5, or to 0.32.0 if on the 0.32 release-candidate line; the corresponding fixes are PR https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756, which bind API/JWT authentication to the organization resolved from the request host. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all Decidim instances in production and identify which employ multi-tenant configurations with cross-organization data separation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r3v7-5x4c-c69q