{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/decidim--0.32.0.rc1--0.32.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Decidim (\u003c 0.31.5)","Decidim (\u003e= 0.32.0.rc1, \u003c 0.32.0)"],"_cs_severities":["medium"],"_cs_tags":["jwt-misconfiguration","access-control","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Decidim"],"content_html":"\u003cp\u003eA high-severity vulnerability, tracked as CVE-2026-45414, exists in the Decidim platform versions prior to 0.31.5 and in versions \u0026gt;= 0.32.0.rc1 but \u0026lt; 0.32.0. This flaw permits a malicious actor to perform a JWT replay attack, enabling unauthorized access to data across different Decidim organizational instances. An attacker, leveraging a valid JWT obtained from one organization (e.g., Org 1), can bypass access controls and access sensitive information or manipulate data within a separate, distinct organization (e.g., Org 2) by simply altering the HTTP Host header. This misconfiguration in how JWTs are bound to specific organizational contexts allows for the retrieval of admin-only GraphQL fields like \u003ccode\u003eparticipantDetails\u003c/code\u003e and interaction with mutation paths such as \u003ccode\u003eproposal.answer\u003c/code\u003e, posing a significant risk of data exposure and unauthorized modification across multi-tenant Decidim deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker first obtains a valid JWT associated with a legitimate account in Organization 1, either by using an API key provided by a system administrator or by capturing the JWT from an authenticated session of an Org 1 administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Decidim instance belonging to Organization 2, which is operating on the same vulnerable Decidim version.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request targeting a sensitive API endpoint of Organization 2, such as \u003ccode\u003e/api/graphql\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHost\u003c/code\u003e HTTP header in the crafted request to specify Organization 2's domain (e.g., \u003ccode\u003eorg2.localhost:3001\u003c/code\u003e), deceiving the Org 2 API into processing the request within its context.\u003c/li\u003e\n\u003cli\u003eThe attacker embeds the valid JWT obtained from Organization 1 into the \u003ccode\u003eAuthorization\u003c/code\u003e header of the request.\u003c/li\u003e\n\u003cli\u003eThe Organization 2 API, due to the JWT scope misconfiguration, accepts the Org 1 JWT as valid for its own context.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses this replayed JWT to retrieve sensitive data, such as admin-only GraphQL \u003ccode\u003eparticipantDetails\u003c/code\u003e for Org 2 participants.\u003c/li\u003e\n\u003cli\u003eThe attacker may also access and potentially manipulate data through sensitive mutation paths like \u003ccode\u003eproposal.answer\u003c/code\u003e within Organization 2, leading to unauthorized data exposure and integrity compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-45414 leads to unauthorized cross-organizational data access and potential manipulation. Attackers can retrieve highly sensitive personal data of participants (e.g., via \u003ccode\u003eparticipantDetails\u003c/code\u003e) and interact with critical organizational processes (e.g., \u003ccode\u003eproposal.answer\u003c/code\u003e mutation path). While the number of specific victims or targeted sectors is not provided, any organization utilizing vulnerable Decidim versions in a multi-tenant or multi-organizational setup is at risk. If exploited, this could result in severe privacy breaches, unauthorized changes to proposals, and significant reputational damage for affected organizations, as sensitive administrative and user data from one organization could be exposed to an attacker authenticated to a different organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Decidim instances immediately to version 0.31.5 or newer, or to 0.32.0 or newer if running release candidate versions, as described in the provided \u003ccode\u003ehttps://github.com/decidim/decidim/pull/16673\u003c/code\u003e and \u003ccode\u003ehttps://github.com/decidim/decidim/pull/16756\u003c/code\u003e references.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, implement the workaround by disabling JWT credentials on the system panel (\u003ccode\u003e/system\u003c/code\u003e) of all Decidim instances.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious requests to Decidim API endpoints that contain \u003ccode\u003eAuthorization: Bearer \u0026lt;JWT\u0026gt;\u003c/code\u003e headers but have unusual or unexpected \u003ccode\u003eHost\u003c/code\u003e headers that do not match the legitimate domain of the application server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T17:19:34Z","date_published":"2026-07-13T17:19:34Z","id":"https://feed.craftedsignal.io/briefs/2026-07-decidim-jwt-replay/","summary":"A vulnerability, CVE-2026-45414, in Decidim allows an attacker to replay a JSON Web Token (JWT) issued for one organization against another organization's API, permitting an authenticated user from Org 1 to access and retrieve sensitive data, such as GraphQL `participantDetails` and `proposal.answer` mutation paths, from Org 2, effectively bypassing cross-organizational access controls.","title":"Decidim JWT Replay Vulnerability Allows Cross-Organization Data Access","url":"https://feed.craftedsignal.io/briefs/2026-07-decidim-jwt-replay/"}],"language":"en","title":"CraftedSignal Threat Feed - Decidim (\u003e= 0.32.0.rc1, \u003c 0.32.0)","version":"https://jsonfeed.org/version/1.1"}