<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Amendment - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/amendment/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/amendment/feed.xml" rel="self" type="application/rss+xml"/><item><title>Decidim Amendment Manipulation Vulnerability (CVE-2026-40869)</title><link>https://feed.craftedsignal.io/briefs/2024-01-decidim-vuln/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-decidim-vuln/</guid><description>CVE-2026-40869 allows authenticated users to manipulate amendments in Decidim versions 0.19.0 prior to 0.30.5 and 0.31.1, potentially hijacking authorship and impacting proposal integrity.</description><content:encoded><![CDATA[<p>Decidim is an open-source participatory democracy framework used by organizations to facilitate online discussions and decision-making. A vulnerability, CVE-2026-40869, affects Decidim versions 0.19.0 prior to 0.30.5 and 0.31.1. This flaw allows any registered and authenticated user to accept or reject amendments to proposals, even if they are not the original author. This can lead to unauthorized modification of proposals and the elevation of malicious users to co-authorship status, potentially undermining the integrity of the participatory process. The vulnerability was reported on 2026-04-21. Organizations using vulnerable versions of Decidim are at risk of having their proposals manipulated and their decision-making processes subverted.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers an account on the Decidim platform.</li>
<li>Attacker authenticates to the Decidim platform using their registered credentials.</li>
<li>Attacker identifies a proposal with the &quot;amendments&quot; feature enabled.</li>
<li>Attacker views the available amendments for the target proposal through the web interface (HTTP GET request to view amendment details).</li>
<li>Attacker crafts a malicious HTTP POST request to either accept or reject an amendment, bypassing intended authorization checks.</li>
<li>The Decidim application incorrectly processes the attacker's request, allowing the attacker to modify the amendment's status.</li>
<li>If the attacker accepts the amendment, they may be elevated to co-authorship of the original proposal.</li>
<li>The altered amendment status is reflected on the Decidim platform, potentially influencing voting or decision-making processes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40869 allows any registered user to manipulate amendments within Decidim proposals. This can lead to unauthorized modifications, data tampering, and the potential for a malicious actor to hijack the authorship of proposals. The number of affected organizations depends on the adoption rate of vulnerable Decidim versions. If successful, this can erode trust in the platform, manipulate democratic processes, and ultimately undermine the organization's decision-making capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Decidim to version 0.30.5 or 0.31.1 to patch CVE-2026-40869.</li>
<li>As a temporary workaround, disable amendment reactions for amendable components within Decidim, as recommended in the vulnerability description.</li>
<li>Monitor Decidim web server logs for suspicious POST requests to amendment endpoints originating from unusual IP addresses using the provided Sigma rule.</li>
<li>Implement the Sigma rule to detect unauthorized amendment modifications based on HTTP request parameters.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>decidim</category><category>vulnerability</category><category>amendment</category><category>manipulation</category></item></channel></rss>