Tag
A vulnerability, CVE-2026-45414, in Decidim allows an attacker to replay a JSON Web Token (JWT) issued for one organization against another organization's API, permitting an authenticated user from Org 1 to access and retrieve sensitive data, such as GraphQL `participantDetails` and `proposal.answer` mutation paths, from Org 2, effectively bypassing cross-organizational access controls.