{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40870/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40870"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Decidim"],"_cs_severities":["high"],"_cs_tags":["decidim","cve-2026-40870","api","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["Decidim"],"content_html":"\u003cp\u003eCVE-2026-40870 identifies a critical vulnerability within the Decidim participatory democracy framework. This flaw, affecting versions prior to 0.30.5 and 0.31.1, stems from the unrestricted access granted via the root level \u003ccode\u003ecommentable\u003c/code\u003e field in the API. The absence of proper permission checks on the \u003ccode\u003e/api\u003c/code\u003e endpoint, which is, by default, publicly accessible, allows unauthenticated users to retrieve all commentable resources within the platform. Successful exploitation of this vulnerability could lead to unauthorized data exposure. All Decidim instances that have not secured their \u003ccode\u003e/api\u003c/code\u003e endpoint are vulnerable. The vulnerability was fixed in versions 0.30.5 and 0.31.1. Decidim versions 0.19.0 and later that have enabled the \u0026quot;Force users to authenticate before access organization\u0026quot; setting have limited the scope of the vulnerability to only authenticated users. Version 0.22.0 applied this to the \u003ccode\u003e/api\u003c/code\u003e endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Decidim instance with a publicly accessible \u003ccode\u003e/api\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP GET request to the \u003ccode\u003e/api\u003c/code\u003e endpoint, targeting the root level \u003ccode\u003ecommentable\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eDue to missing permission checks, the API processes the request without authentication.\u003c/li\u003e\n\u003cli\u003eThe API retrieves data for all commentable resources within the Decidim platform.\u003c/li\u003e\n\u003cli\u003eThe API returns the requested data in JSON format to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the JSON response to extract sensitive information contained within the commentable resources.\u003c/li\u003e\n\u003cli\u003eDepending on the nature of the Decidim platform, this exposed data could include user details, internal discussions, or confidential documents.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data for malicious purposes, such as identity theft or leaking private information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40870 can lead to the unauthorized disclosure of sensitive information stored within a Decidim platform. The severity of the impact depends on the data managed by the platform. While the vulnerability is less critical for platforms primarily serving public data, it poses a significant risk to those protecting private resources within participation spaces. Victims could experience reputational damage, privacy breaches, and potential legal repercussions. The number of affected Decidim instances is currently unknown, but any instance running a vulnerable version with a publicly accessible \u003ccode\u003e/api\u003c/code\u003e endpoint is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Decidim instances to version 0.30.5 or 0.31.1 or later to patch CVE-2026-40870.\u003c/li\u003e\n\u003cli\u003eAs a workaround, limit access to the \u003ccode\u003e/api\u003c/code\u003e endpoint to only authenticated users by implementing custom code or installing the \u003ccode\u003eDecidim::Apiauth\u003c/code\u003e module, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eFor Decidim instances running version 0.19.0 or later, ensure the \u0026quot;Force users to authenticate before access organization\u0026quot; setting is enabled. This setting was applied to the \u003ccode\u003e/api\u003c/code\u003e endpoint in version 0.22.0.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Access to Decidim API Endpoint Without Authentication\u0026quot; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/api\u003c/code\u003e endpoint (webserver logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-decidim-cve-2026-40870/","summary":"CVE-2026-40870 allows unauthenticated access to commentable resources in Decidim platforms prior to versions 0.30.5 and 0.31.1 due to missing permission checks on the publicly accessible `/api` endpoint, potentially exposing sensitive data.","title":"Decidim API Unauthorized Access via CVE-2026-40870","url":"https://feed.craftedsignal.io/briefs/2024-01-decidim-cve-2026-40870/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-40870","version":"https://jsonfeed.org/version/1.1"}