CVE-2026-40869
Published: 21 April 2026
Summary
CVE-2026-40869 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Decidim Decidim. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-40869 is an authorization vulnerability (CWE-266) in Decidim, an open-source participatory democracy framework. It affects versions starting from 0.19.0 up to but not including 0.30.5 and 0.31.1. The flaw allows any registered and authenticated user to accept or reject amendments on proposals, bypassing intended permissions. This impacts proposal creators who have enabled the amendments feature, as unauthorized users can manipulate amendment states and gain coauthorship on affected resources, incorrectly elevating their role as authors of the original proposals.
Any registered and authenticated user on a vulnerable Decidim instance can exploit this remotely over the network with low complexity, requiring no special privileges beyond basic login (CVSS v3.1 base score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Attackers can arbitrarily accept or reject amendments on any proposal, disrupting participatory processes and falsifying coauthorship credits, potentially leading to misinformation or undue influence in democratic workflows.
The Decidim security advisory (GHSA-w5xj-99cg-rccm) and fixing commit (1b99136a1c7aa02616a0b54a6ab88d12907a57a9) confirm patches in versions 0.30.5 and 0.31.1. As a workaround, administrators should disable amendment reactions for amendable components such as proposals until upgrading.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24251
Vulnerability details
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created…
more
proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass allows authenticated users to manipulate amendment states and coauthorship on proposals, directly enabling stored data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthorized registered users from accepting or rejecting amendments on proposals.
Implements least privilege to restrict authenticated users from performing privileged actions like manipulating amendment states and gaining improper coauthorship.
Requires timely remediation of flaws, such as patching Decidim to versions 0.30.5 or 0.31.1 to fix the authorization bypass vulnerability.