RubySec

Providing security resources for the Ruby community

CVE-2026-45414 (decidim): Decidim - JWT-backed authentication can be replayed across organizations

Decidim - JWT-backed authentication can be replayed across organizations

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim

SEVERITY

CVSS v3.x: 8.5 (High)

PATCHED VERSIONS

~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.

Impact

A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED