CVE-2026-40869 | Decidim up to 0.30.4/0.31.0 privileges assignment (GHSA-w5xj-99cg-rccm)

VDB-358582 · CVE-2026-40869 · GHSA-W5XJ-99CG-RCCM DECIDIM UP TO 0.30.4/0.31.0 PRIVILEGES ASSIGNMENT HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 1.78+ Summaryinfo A vulnerability classified as problematic was found in Decidim up to 0.30.4/0.31.0. This issue affects some unknown processing. Executing a manipulation can lead to privileges assignment. This vulnerability is tracked as CVE-2026-40869. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised. Detailsinfo A vulnerability has been found in Decidim up to 0.30.4/0.31.0 and classified as problematic. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a privileges assignment vulnerability. The CWE definition for the vulnerability is CWE-266. A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. As an impact it is known to affect integrity. CVE summarizes: Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals). The advisory is available at github.com. This vulnerability was named CVE-2026-40869 since 04/15/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project. Upgrading to version 0.30.5 or 0.31.1 eliminates this vulnerability. Applying the patch 1b99136a1c7aa02616a0b54a6ab88d12907a57a9 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Name Decidim Version 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.10 0.11 0.12 0.13 0.14 0.15 0.16 0.17 0.18 0.19 0.20 0.21 0.22 0.23 0.24 0.25 0.26 0.27 0.28 0.29 0.30 0.30.0 0.30.1 0.30.2 0.30.3 0.30.4 0.31.0 License open-source Website Product: https://github.com/decidim/decidim/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Privileges assignment CWE: CWE-266 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Decidim 0.30.5/0.31.1 Patch: 1b99136a1c7aa02616a0b54a6ab88d12907a57a9 Timelineinfo 04/15/2026 CVE reserved 04/21/2026 +6 days Advisory disclosed 04/21/2026 +0 days VulDB entry created 04/21/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-w5xj-99cg-rccm Status: Confirmed CVE: CVE-2026-40869 (🔒) GCVE (CVE): GCVE-0-2026-40869 GCVE (VulDB): GCVE-100-358582 Entryinfo Created: 04/21/2026 22:33 Changes: 04/21/2026 22:33 (64) Complete: 🔍 Cache ID: 99:B09:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸