GHSA-R3V7-5X4C-C69Q

Vulnerability from github – Published: 2026-07-13 17:16 – Updated: 2026-07-13 17:16
VLAI
Summary
Decidim: JWT-backed authentication can be replayed across organizations
Details

Description

A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.

Technical description

The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1.

Reproduction steps:

  1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin.

decidim-jwt-01

  1. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant org2.localhost:3001

decidim-jwt-02

Note that using a participant-generated JWT did not allow showing these results.

Impact

A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.

Patches

See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756

Workarounds

Disable JWT credentials on system panel (/system)

References

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0.rc1"
            },
            {
              "fixed": "0.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45414"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T17:16:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Description\n\nA JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2\u0027s `proposal.answer` mutation path.\n\n##  Technical description\n\nThe current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to\nthat host organization. As a result, the API can process a request in Org 2\u0027s context while still trusting an authenticated\nprincipal from Org 1.\n\nReproduction steps:\n\n1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or\nget the JWT token shown in the response when logged in as the organization admin.\n\n\u003cimg width=\"1080\" height=\"1119\" alt=\"decidim-jwt-01\" src=\"https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96\" /\u003e\n\n\n2. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant `org2.localhost:3001`\n \n\u003cimg width=\"1085\" height=\"1047\" alt=\"decidim-jwt-02\" src=\"https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0\" /\u003e\n\nNote that using a participant-generated JWT did not allow showing these results.\n\n### Impact\n\nA JWT issued for one organization can be replayed successfully against another organization\u0027s API and used to retrieve sensitive details from that organization.\n\n### Patches\n\nSee https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756\n\n### Workarounds\n\nDisable JWT credentials on system panel (`/system`) \n\n### References\n\nOWASP A01:2021 Broken Access Control\n\n### Credits\n\nThis issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).",
  "id": "GHSA-r3v7-5x4c-c69q",
  "modified": "2026-07-13T17:16:57Z",
  "published": "2026-07-13T17:16:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-r3v7-5x4c-c69q"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/16673"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/16756"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decidim/decidim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Decidim: JWT-backed authentication can be replayed across organizations"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…