CVE-2026-40870

Name of the Vulnerable Software and Affected Versions Decidim versions 0.0.1 through 0.30.4 Decidim versions 0.31.0 through 0.31.0

Description The root level commentable field in the API allows access to all commentable resources within the platform without permission checks. This occurs on instances where the '/api' endpoint is publicly available, which is the default configuration. If the platform protects private participation spaces, this may expose non-public data. For instances using the organization setting Force users to authenticate before access organization (introduced in version 0.19.0 and applied to the '/api' endpoint in version 0.22.0), the impact is limited to authenticated users.

Recommendations Update to version 0.30.5. Update to version 0.31.1. Limit access to the '/api' endpoint to authenticated users via custom code. Disable all traffic to the '/api' endpoint using custom configuration without allow statements.