<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Decidim - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/decidim/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/decidim/feed.xml" rel="self" type="application/rss+xml"/><item><title>Decidim API Unauthorized Access via CVE-2026-40870</title><link>https://feed.craftedsignal.io/briefs/2024-01-decidim-cve-2026-40870/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-decidim-cve-2026-40870/</guid><description>CVE-2026-40870 allows unauthenticated access to commentable resources in Decidim platforms prior to versions 0.30.5 and 0.31.1 due to missing permission checks on the publicly accessible `/api` endpoint, potentially exposing sensitive data.</description><content:encoded><![CDATA[<p>CVE-2026-40870 identifies a critical vulnerability within the Decidim participatory democracy framework. This flaw, affecting versions prior to 0.30.5 and 0.31.1, stems from the unrestricted access granted via the root level <code>commentable</code> field in the API. The absence of proper permission checks on the <code>/api</code> endpoint, which is, by default, publicly accessible, allows unauthenticated users to retrieve all commentable resources within the platform. Successful exploitation of this vulnerability could lead to unauthorized data exposure. All Decidim instances that have not secured their <code>/api</code> endpoint are vulnerable. The vulnerability was fixed in versions 0.30.5 and 0.31.1. Decidim versions 0.19.0 and later that have enabled the &quot;Force users to authenticate before access organization&quot; setting have limited the scope of the vulnerability to only authenticated users. Version 0.22.0 applied this to the <code>/api</code> endpoint.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a vulnerable Decidim instance with a publicly accessible <code>/api</code> endpoint.</li>
<li>The attacker sends a crafted HTTP GET request to the <code>/api</code> endpoint, targeting the root level <code>commentable</code> field.</li>
<li>Due to missing permission checks, the API processes the request without authentication.</li>
<li>The API retrieves data for all commentable resources within the Decidim platform.</li>
<li>The API returns the requested data in JSON format to the attacker.</li>
<li>The attacker parses the JSON response to extract sensitive information contained within the commentable resources.</li>
<li>Depending on the nature of the Decidim platform, this exposed data could include user details, internal discussions, or confidential documents.</li>
<li>The attacker uses the exfiltrated data for malicious purposes, such as identity theft or leaking private information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40870 can lead to the unauthorized disclosure of sensitive information stored within a Decidim platform. The severity of the impact depends on the data managed by the platform. While the vulnerability is less critical for platforms primarily serving public data, it poses a significant risk to those protecting private resources within participation spaces. Victims could experience reputational damage, privacy breaches, and potential legal repercussions. The number of affected Decidim instances is currently unknown, but any instance running a vulnerable version with a publicly accessible <code>/api</code> endpoint is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Decidim instances to version 0.30.5 or 0.31.1 or later to patch CVE-2026-40870.</li>
<li>As a workaround, limit access to the <code>/api</code> endpoint to only authenticated users by implementing custom code or installing the <code>Decidim::Apiauth</code> module, as mentioned in the vulnerability description.</li>
<li>For Decidim instances running version 0.19.0 or later, ensure the &quot;Force users to authenticate before access organization&quot; setting is enabled. This setting was applied to the <code>/api</code> endpoint in version 0.22.0.</li>
<li>Deploy the Sigma rule &quot;Detect Access to Decidim API Endpoint Without Authentication&quot; to identify potential exploitation attempts.</li>
<li>Monitor web server logs for suspicious requests to the <code>/api</code> endpoint (webserver logs).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>decidim</category><category>cve-2026-40870</category><category>api</category><category>unauthorized-access</category></item><item><title>Decidim Amendment Acceptance Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-decidim-amendment-vuln/</guid><description>An authentication bypass vulnerability in Decidim allows any registered user to accept or reject amendments, potentially granting them co-author status on affected proposals; versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 are affected.</description><content:encoded><![CDATA[<p>Decidim is an open-source participatory democracy framework. A vulnerability exists within Decidim versions 0.19.0 through 0.30.5 and 0.31.0.rc1 through 0.31.1 where any authenticated user can accept or reject amendments to proposals, regardless of their authorization. This issue stems from insufficient permission checks when handling amendment reactions within the affected Decidim components. Successful exploitation allows an attacker to manipulate proposal content and gain co-author status, potentially influencing the outcome of participatory processes. There are currently no patches available; the identified workaround involves disabling amendment reactions for components using the amendable feature. This vulnerability was reported on GitHub as GHSA-w5xj-99cg-rccm.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers an account on the Decidim platform.</li>
<li>Attacker authenticates to the Decidim platform with their registered account.</li>
<li>Attacker identifies a proposal with the amendments feature enabled.</li>
<li>Attacker crafts a malicious HTTP request to the <code>/amendments/{amendment_id}/accept</code> or <code>/amendments/{amendment_id}/reject</code> endpoint.</li>
<li>The Decidim application processes the request without proper authorization checks due to the vulnerability in <code>decidim/permissions.rb</code>.</li>
<li>The amendment is accepted or rejected based on the attacker's request.</li>
<li>If the amendment is accepted, the attacker is granted co-author status on the proposal.</li>
<li>Attacker leverages co-author status to influence or control the proposal.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can compromise the integrity of participatory processes managed by Decidim. By exploiting the vulnerability, an attacker can manipulate proposals and gain undue influence, potentially undermining the democratic process. Impacts can range from subtle alterations of proposal content to complete control over proposal outcomes. The number of affected proposals depends on the number of Decidim installations using the vulnerable versions and having the amendment feature enabled.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the provided workaround by disabling amendment reactions for the amendable component (e.g., proposals) to mitigate the vulnerability until a patch is available (reference: Workarounds section).</li>
<li>Monitor Decidim application logs for suspicious activity related to amendment acceptance/rejection actions originating from unauthorized users. Implement a detection rule focusing on HTTP POST requests to <code>/amendments/{amendment_id}/accept</code> and <code>/amendments/{amendment_id}/reject</code> (reference: Sigma rule - Decidim Suspicious Amendment Activity).</li>
<li>Upgrade to a patched version of Decidim-core once available to remediate the vulnerability. Check the Decidim release notes for updates (reference: Affected Packages section).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>decidim</category><category>authentication-bypass</category><category>privilege-escalation</category><category>web-application</category></item><item><title>Decidim Amendment Manipulation Vulnerability (CVE-2026-40869)</title><link>https://feed.craftedsignal.io/briefs/2024-01-decidim-vuln/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-decidim-vuln/</guid><description>CVE-2026-40869 allows authenticated users to manipulate amendments in Decidim versions 0.19.0 prior to 0.30.5 and 0.31.1, potentially hijacking authorship and impacting proposal integrity.</description><content:encoded><![CDATA[<p>Decidim is an open-source participatory democracy framework used by organizations to facilitate online discussions and decision-making. A vulnerability, CVE-2026-40869, affects Decidim versions 0.19.0 prior to 0.30.5 and 0.31.1. This flaw allows any registered and authenticated user to accept or reject amendments to proposals, even if they are not the original author. This can lead to unauthorized modification of proposals and the elevation of malicious users to co-authorship status, potentially undermining the integrity of the participatory process. The vulnerability was reported on 2026-04-21. Organizations using vulnerable versions of Decidim are at risk of having their proposals manipulated and their decision-making processes subverted.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker registers an account on the Decidim platform.</li>
<li>Attacker authenticates to the Decidim platform using their registered credentials.</li>
<li>Attacker identifies a proposal with the &quot;amendments&quot; feature enabled.</li>
<li>Attacker views the available amendments for the target proposal through the web interface (HTTP GET request to view amendment details).</li>
<li>Attacker crafts a malicious HTTP POST request to either accept or reject an amendment, bypassing intended authorization checks.</li>
<li>The Decidim application incorrectly processes the attacker's request, allowing the attacker to modify the amendment's status.</li>
<li>If the attacker accepts the amendment, they may be elevated to co-authorship of the original proposal.</li>
<li>The altered amendment status is reflected on the Decidim platform, potentially influencing voting or decision-making processes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40869 allows any registered user to manipulate amendments within Decidim proposals. This can lead to unauthorized modifications, data tampering, and the potential for a malicious actor to hijack the authorship of proposals. The number of affected organizations depends on the adoption rate of vulnerable Decidim versions. If successful, this can erode trust in the platform, manipulate democratic processes, and ultimately undermine the organization's decision-making capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Decidim to version 0.30.5 or 0.31.1 to patch CVE-2026-40869.</li>
<li>As a temporary workaround, disable amendment reactions for amendable components within Decidim, as recommended in the vulnerability description.</li>
<li>Monitor Decidim web server logs for suspicious POST requests to amendment endpoints originating from unusual IP addresses using the provided Sigma rule.</li>
<li>Implement the Sigma rule to detect unauthorized amendment modifications based on HTTP request parameters.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>decidim</category><category>vulnerability</category><category>amendment</category><category>manipulation</category></item></channel></rss>