Decidim API Flaw Exposes Sensitive Participatory Data
The National Vulnerability Database has detailed CVE-2026-40870, a high-severity vulnerability (CVSS 7.5) affecting Decidim, a participatory democracy framework. Versions from 0.0.1 up to, but not including, 0.30.5 and 0.31.1 are impacted. The core issue lies within the root-level commentable field in the API, which, by default, grants access to all commentable resources without proper permission checks. This means sensitive data intended for private participation spaces could be exposed if the /api endpoint is not secured.
All Decidim instances are vulnerable if the /api endpoint remains publicly accessible, which is the default configuration. While the National Vulnerability Database notes that the severity lessens if the platform primarily serves public data, it becomes critical when protecting private resources. The vulnerability’s scope is further limited for instances that have enabled the “Force users to authenticate before access organization” setting (introduced in 0.19.0 and applied to the /api endpoint in 0.22.0), restricting exposure to authenticated users only.
Patches are available in Decidim versions 0.30.5 and 0.31.1. For those unable to upgrade immediately, a workaround involves limiting /api endpoint access to authenticated users. This requires custom code or implementing the Decidim::Apiauth module. Alternatively, administrators can disable all traffic to the /api endpoint by removing allow statements, effectively mitigating the direct exposure.
What This Means For You
- If your organization uses Decidim, prioritize immediate patching to versions 0.30.5 or 0.31.1. If patching isn't feasible, implement the workaround to restrict `/api` endpoint access to authenticated users or disable it entirely. Audit your Decidim instance to determine if private participation spaces could have been exposed and assess potential data leaks.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Decidim API Unauthenticated Access to Commentable Resources - CVE-2026-40870
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40870 | Information Disclosure | Decidim versions 0.0.1 up to 0.30.4 and 0.31.0 |
| CVE-2026-40870 | Auth Bypass | Decidim API endpoint /api |
| CVE-2026-40870 | Information Disclosure | Decidim API 'commentable' field |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 23:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)
CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...
Critical AVideo XSS Vulnerability Exposes Admin Settings
CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...
Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover
CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...