Decidim - JWT-backed authentication can be replayed across organizations
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45414 (NVD)
- GHSA: GHSA-r3v7-5x4c-c69q
GEM
SEVERITY
CVSS v3.x: 8.5 (High)
PATCHED VERSIONS
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
A JWT issued to an Org 1 account is accepted on the Org 2 API and can
read the admin-only GraphQL participantDetails field for an Org 2
participant. The same trust-boundary problem also affects API-user
authentication: an Org 1 API user can use a JWT on the Org 1 host
and replay that JWT to the Org 2 API to read Org 2 participant
personal data and reach Org 2's proposal.answer mutation path.
Impact
A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45414
- https://rubygems.org/gems/decidim-core/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/pull/16673
- https://github.com/decidim/decidim/pull/16756
- https://advisories.gitlab.com/gem/decidim/CVE-2026-45414
- https://github.com/decidim/decidim/security/advisories/GHSA-r3v7-5x4c-c69q
- https://github.com/advisories/GHSA-r3v7-5x4c-c69q
