Cyber Resilience

CVE-2026-40869

High

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0004 12.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40869 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Decidim Decidim. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-40869 is an authorization vulnerability (CWE-266) in Decidim, an open-source participatory democracy framework. It affects versions starting from 0.19.0 up to but not including 0.30.5 and 0.31.1. The flaw allows any registered and authenticated user to accept or reject amendments on proposals, bypassing intended permissions. This impacts proposal creators who have enabled the amendments feature, as unauthorized users can manipulate amendment states and gain coauthorship on affected resources, incorrectly elevating their role as authors of the original proposals.

Any registered and authenticated user on a vulnerable Decidim instance can exploit this remotely over the network with low complexity, requiring no special privileges beyond basic login (CVSS v3.1 base score of 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Attackers can arbitrarily accept or reject amendments on any proposal, disrupting participatory processes and falsifying coauthorship credits, potentially leading to misinformation or undue influence in democratic workflows.

The Decidim security advisory (GHSA-w5xj-99cg-rccm) and fixing commit (1b99136a1c7aa02616a0b54a6ab88d12907a57a9) confirm patches in versions 0.30.5 and 0.31.1. As a workaround, administrators should disable amendment reactions for amendable components such as proposals until upgrading.

EU & UK References

Vulnerability details

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created…

more

proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Authorization bypass allows authenticated users to manipulate amendment states and coauthorship on proposals, directly enabling stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23891Same product: Decidim Decidim
CVE-2026-42368Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-22315Shared CWE-266
CVE-2026-42680Shared CWE-266
CVE-2025-69378Shared CWE-266
CVE-2026-22907Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2025-22736Shared CWE-266
CVE-2024-40591Shared CWE-266

Affected Assets

decidim
decidim
0.19.0 — 0.30.5 · 0.31.0 — 0.31.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthorized registered users from accepting or rejecting amendments on proposals.

prevent

Implements least privilege to restrict authenticated users from performing privileged actions like manipulating amendment states and gaining improper coauthorship.

preventrecover

Requires timely remediation of flaws, such as patching Decidim to versions 0.30.5 or 0.31.1 to fix the authorization bypass vulnerability.

References