-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-40869.yml
More file actions
44 lines (37 loc) · 1.56 KB
/
Copy pathCVE-2026-40869.yml
File metadata and controls
44 lines (37 loc) · 1.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
gem: decidim-core
cve: 2026-40869
ghsa: w5xj-99cg-rccm
url: https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
title: Decidim amendments can be accepted or rejected by anyone
date: 2026-04-14
description: |
### Impact
The vulnerability allows any registered and authenticated user to
accept or reject any amendments. The impact is on any users who
have created proposals where the amendments feature is enabled.
This also elevates the user accepting the amendment as the author
of the original proposal as people amending proposals are provided
coauthorship on the coauthorable resources.
The only check done when accepting or rejecting amendments is whether
the amendment reactions are enabled for the component:
- https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
The permission checks have been changed at 1b99136 which was
introduced in released version 0.19.0. I have not investigated
whether prior versions are also affected.
### Patches
Not available
### Workarounds
Disable amendment reactions for the amendable component (e.g. proposals).
cvss_v3: 7.5
unaffected_versions:
- "< 0.19.0"
patched_versions:
- "~> 0.30.5"
- ">= 0.31.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-40869
- https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
- https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9
- https://github.com/advisories/GHSA-w5xj-99cg-rccm