{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40869", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T15:57:41.718Z", "datePublished": "2026-04-21T19:08:28.239Z", "dateUpdated": "2026-04-21T19:35:55.139Z"}, "containers": {"cna": {"title": "Decidim amendments can be accepted or rejected by anyone", "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "lang": "en", "description": "CWE-266: Incorrect Privilege Assignment", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm"}, {"name": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9", "tags": ["x_refsource_MISC"], "url": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9"}], "affected": [{"vendor": "decidim", "product": "decidim", "versions": [{"version": ">= 0.31.0.rc1, < 0.31.1", "status": "affected"}, {"version": ">= 0.19.0, < 0.30.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:08:28.239Z"}, "descriptions": [{"lang": "en", "value": "Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals)."}], "source": {"advisory": "GHSA-w5xj-99cg-rccm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:35:49.007349Z", "id": "CVE-2026-40869", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:35:55.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40869", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:35:49.007349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:35:51.743Z"}}], "cna": {"title": "Decidim amendments can be accepted or rejected by anyone", "source": {"advisory": "GHSA-w5xj-99cg-rccm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "decidim", "product": "decidim", "versions": [{"status": "affected", "version": ">= 0.31.0.rc1, < 0.31.1"}, {"status": "affected", "version": ">= 0.19.0, < 0.30.5"}]}], "references": [{"url": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm", "name": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9", "name": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266: Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:08:28.239Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40869", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:35:55.139Z", "dateReserved": "2026-04-15T15:57:41.718Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:08:28.239Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "866F9266-B876-4727-A253-D1F3B0456C43", "versionEndExcluding": "0.30.5", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "029260FC-BDC7-4FFF-B8DA-B7BF1BF978EC", "versionEndExcluding": "0.31.1", "versionStartIncluding": "0.31.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals)."}], "id": "CVE-2026-40869", "lastModified": "2026-04-23T16:08:50.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-21T20:17:00.207", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory", "Patch"], "url": "https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.31.0.rc1,0.31.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.19.0,0.30.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "decidim", "source": "cna", "vendor": "decidim"}, "product": "decidim", "vendor": "decidim"}], "analysis": {"en": {"generated_at": "2026-04-22T05:33:14.539280+00:00", "value": {"mitigation_remediation": ["Upgrade Decidim to version 0.30.5 or later, or to version 0.31.1 or newer, to apply the vendor fix.", "If an upgrade is not immediately possible, disable amendment reactions for amendable components such as proposals through the configuration settings to block the acceptance or rejection action.", "Review and reinforce role\u2011based access control to ensure only authorized users can manage amendments, limiting the scope beyond the default configuration."], "summary": {"action": "Patch immediately", "impact": "Unauthorized role elevation via amendment acceptance/rejection"}, "threat_synthesis": {"affected_systems": "Decidim versions 0.19.0 up through 0.30.4 and 0.31.0 are affected. Version 0.30.5 and 0.31.1 include the fix. All components that enable amendments, such as proposals, are subject to the vulnerability.", "description_and_impact": "An authenticated user can accept or reject any amendment within Decidim, causing the user to be granted coauthor status on the original proposal. This privilege elevation allows the attacker to influence proposals beyond their own scope, potentially manipulating decision\u2011making processes and asserting authorship over content they did not create.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7.5 and is not listed in CISA KEV, indicating a moderate\u2011to\u2011high risk but no confirmed exploitation record. The EPSS score is not available, suggesting limited data on current exploitation likelihood. The attack can be carried out by any registered and authenticated user by simply using the standard amendment acceptance or rejection UI, without requiring additional privileges or remote code execution."}}}}, "created": "2026-04-22T04:45:09.199519+00:00", "updated": "2026-04-22T05:45:09.820012+00:00", "vendors": ["decidim", "decidim$PRODUCT$decidim"]}