Cyber Resilience

CVE-2026-40870

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 14.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40870 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-40870 is a missing authorization vulnerability (CWE-862) in Decidim, an open-source participatory democracy framework. From version 0.0.1 up to but excluding 0.30.5 and 0.31.1, the root-level `commentable` field in the GraphQL API lacks permission checks, enabling access to all commentable resources across the platform. This affects all Decidim instances where the `/api` endpoint remains unsecured, which is the default configuration as it is publicly accessible.

Unauthenticated attackers with network access can exploit this issue by querying the `/api` endpoint's `commentable` field, bypassing authorization to read potentially sensitive data in commentable resources. Exploitation requires no privileges or user interaction, achieving high confidentiality impact as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The impact depends on the instance: public data platforms face minimal risk, while those with private participation spaces risk unauthorized data exposure.

Patches are available in Decidim versions 0.30.5 and 0.31.1. Workarounds include restricting `/api` access to authenticated users via custom code or the third-party `Decidim::Apiauth` module, or disabling the endpoint entirely by omitting `allow` statements in configuration. The "Force users to authenticate before access organization" setting, introduced in 0.19.0 and applied to `/api` in 0.22.0, further limits scope to permitted users. See the advisory at https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx for details.

EU & UK References

Vulnerability details

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim…

more

instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authorization flaw in a publicly accessible GraphQL API endpoint (/api), directly enabling unauthenticated network-based exploitation to access sensitive data, which maps to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to resources, directly mitigating the missing permission checks on the API's commentable field.

prevent

AC-14 requires identification and documentation of actions permitted without authentication, preventing unauthorized public access to sensitive commentable resources via the API.

prevent

SC-14 establishes controls to protect information resources from unauthorized public access, addressing exposure through the default publicly accessible /api endpoint.

References