PT-2026-60071 · Rubygems · Decidim
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-45414
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
Description
A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL
participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.Technical description
The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to
that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated
principal from Org 1.
Reproduction steps:
- Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin.
- When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant
org2.localhost:3001
Note that using a participant-generated JWT did not allow showing these results.
Impact
A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.
Patches
Workarounds
Disable JWT credentials on system panel (
/system)References
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Decidim