CVE-2026-40869

Source
https://cve.org/CVERecord?id=CVE-2026-40869
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40869.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40869
Aliases
Published
2026-04-21T19:08:28.239Z
Modified
2026-07-08T08:13:13.174615690Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Decidim amendments can be accepted or rejected by anyone
Details

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40869.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-266"
    ]
}
References

Affected packages

Git / github.com/decidim/decidim

Affected ranges

Type
GIT
Repo
https://github.com/decidim/decidim
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*",
    "extracted_events": [
        {
            "introduced": "0.19.0"
        },
        {
            "fixed": "0.30.5"
        },
        {
            "introduced": "0.31.0"
        },
        {
            "fixed": "0.31.1"
        }
    ]
}

Affected versions

v0.*
v0.31.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40869.json"