CVE-2026-40869 Overview
CVE-2026-40869 is an authorization bypass vulnerability in Decidim, a participatory democracy framework written in Ruby. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments, regardless of whether they are the original proposal author.
Critical Impact
Authenticated users can manipulate proposal amendments they do not own, gaining unauthorized coauthorship of proposals and undermining the integrity of democratic participation processes.
Affected Products
- Decidim versions 0.19.0 through 0.30.4
- Decidim versions 0.31.0 (prior to 0.31.1)
- All Decidim deployments with the amendments feature enabled
Discovery Timeline
- April 21, 2026 - CVE-2026-40869 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40869
Vulnerability Analysis
This vulnerability represents a Broken Access Control flaw (CWE-266: Incorrect Privilege Assignment) in Decidim's amendment handling functionality. The framework fails to properly validate that the user accepting or rejecting an amendment is actually the author of the original proposal being amended.
The impact extends beyond simple unauthorized actions—when a malicious user accepts an amendment, they are incorrectly elevated to coauthor status on the original proposal. This occurs because Decidim's coauthorable resources feature grants coauthorship to users who interact with amendments, but the authorization check is missing to ensure only legitimate proposal authors can perform these actions.
This vulnerability affects the core democratic integrity of Decidim deployments, as unauthorized users can manipulate the collaborative proposal process and gain attribution rights they should not possess.
Root Cause
The root cause lies in missing authorization checks within the amendment reaction workflow. The application fails to verify that the authenticated user requesting to accept or reject an amendment has the proper ownership or authorship relationship with the original proposal. This allows any authenticated user to invoke amendment reaction endpoints and manipulate proposals they did not create.
Attack Vector
An attacker with a valid authenticated session can exploit this vulnerability over the network. The attack requires:
- A registered and authenticated user account on the target Decidim instance
- The amendments feature enabled on a proposals component
- Knowledge of or discovery of existing proposals with pending amendments
The attacker can then send requests to accept or reject amendments on any proposal, bypassing the intended authorization model. Upon successful exploitation, the attacker may be granted coauthorship status on the targeted proposal.
// Security patch demonstrating the fix for amendment step settings
// Source: https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9
-// Checks if the form contains a field with a special CSS class added in
-// Decidim::Admin::SettingsHelper. If so, prevents the checkbox from being clicked,
-// extracts the stored text and adds a new paragraph after the field.
+// Checks if the form contains fields with special CSS classes added in
+// Decidim::Admin::SettingsHelper and acts accordingly.
$(() => {
- const $checkbox = $(".participatory_texts_disabled");
+ // Prevents checkbox with ".participatory_texts_disabled" class from being clicked.
+ const $participatoryTexts = $(".participatory_texts_disabled");
- $checkbox.click((event) => {
+ $participatoryTexts.click((event) => {
event.preventDefault();
return false;
});
- if ($checkbox.length > 0) {
- const $text = $checkbox[0].dataset.text
+ // (1) Hides fields with ".amendments_step_settings" class if amendments_enabled
+ // component setting is NOT checked.
+ // (2) Toggles visibilty of fields with ".amendments_step_settings" class when
+ // amendments_enabled component setting is clicked.
+ const $amendmentsEnabled = $("input#component_settings_amendments_enabled");
- $checkbox.parent().after(`<p class="help-text">${$text}</p>`)
+ if ($amendmentsEnabled.length > 0) {
+ const $amendmentStepSettings = $(".amendments_step_settings").parent();
+
+ if ($amendmentsEnabled.is(":not(:checked)")) {
+ $amendmentStepSettings.hide().siblings(".help-text").hide();
Source: GitHub Commit 1b99136
Detection Methods for CVE-2026-40869
Indicators of Compromise
- Unexpected changes in proposal authorship or coauthorship records
- Amendments being accepted or rejected by users who are not the original proposal authors
- Anomalous activity patterns where a single user interacts with many proposals across different participatory spaces
- Audit logs showing amendment reactions from users without proper proposal ownership
Detection Strategies
- Monitor application logs for amendment accept/reject actions and correlate with proposal ownership data
- Implement custom alerts for amendment reactions performed by non-authors on proposals
- Review database records for coauthorship assignments that do not match expected user relationships
- Analyze request patterns to amendment-related API endpoints for suspicious activity
Monitoring Recommendations
- Enable detailed audit logging for all amendment-related actions in Decidim
- Set up alerts for bulk amendment operations or rapid successive amendment reactions
- Periodically audit coauthorship records against expected proposal workflows
- Monitor authentication logs for accounts performing unusual volumes of amendment interactions
How to Mitigate CVE-2026-40869
Immediate Actions Required
- Upgrade Decidim to version 0.30.5 or 0.31.1 immediately
- If immediate upgrade is not possible, disable amendment reactions as a temporary workaround
- Audit existing proposals for unauthorized coauthorship additions
- Review amendment activity logs for signs of prior exploitation
Patch Information
The Decidim development team has released patched versions that address this authorization bypass vulnerability. The fix implements proper authorization checks to ensure only legitimate proposal authors can accept or reject amendments.
- Fixed Versions:0.30.5 and 0.31.1
- Security Advisory:GitHub Security Advisory GHSA-w5xj-99cg-rccm
- Commit:1b99136a1c7aa02616a0b54a6ab88d12907a57a9
Workarounds
- Disable amendment reactions for the amendable component (e.g., proposals) until patching is complete
- Restrict access to participatory spaces with amendments enabled to trusted users only
- Implement additional network-level access controls to limit exposure of affected functionality
- Consider temporarily disabling the amendments feature entirely in high-risk deployments
# Configuration example - Disable amendments in Decidim component settings
# Access the admin panel and navigate to:
# Processes > [Your Process] > Components > Proposals > Settings
# Uncheck "Amendments enabled" checkbox to disable the feature
# This prevents exploitation while preparing for upgrade
# After patching, update your Gemfile:
gem "decidim", "~> 0.30.5"
# or
gem "decidim", "~> 0.31.1"
# Then run:
bundle update decidim
rails db:migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
