CVE-2026-40870
Published: 21 April 2026
Summary
CVE-2026-40870 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-40870 is a missing authorization vulnerability (CWE-862) in Decidim, an open-source participatory democracy framework. From version 0.0.1 up to but excluding 0.30.5 and 0.31.1, the root-level `commentable` field in the GraphQL API lacks permission checks, enabling access to all commentable resources across the platform. This affects all Decidim instances where the `/api` endpoint remains unsecured, which is the default configuration as it is publicly accessible.
Unauthenticated attackers with network access can exploit this issue by querying the `/api` endpoint's `commentable` field, bypassing authorization to read potentially sensitive data in commentable resources. Exploitation requires no privileges or user interaction, achieving high confidentiality impact as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The impact depends on the instance: public data platforms face minimal risk, while those with private participation spaces risk unauthorized data exposure.
Patches are available in Decidim versions 0.30.5 and 0.31.1. Workarounds include restricting `/api` access to authenticated users via custom code or the third-party `Decidim::Apiauth` module, or disabling the endpoint entirely by omitting `allow` statements in configuration. The "Force users to authenticate before access organization" setting, introduced in 0.19.0 and applied to `/api` in 0.22.0, further limits scope to permitted users. See the advisory at https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx for details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24252
Vulnerability details
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim…
more
instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a publicly accessible GraphQL API endpoint (/api), directly enabling unauthenticated network-based exploitation to access sensitive data, which maps to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly mitigating the missing permission checks on the API's commentable field.
AC-14 requires identification and documentation of actions permitted without authentication, preventing unauthorized public access to sensitive commentable resources via the API.
SC-14 establishes controls to protect information resources from unauthorized public access, addressing exposure through the default publicly accessible /api endpoint.