Decidim, Broken Access Control, CVE-2026-45414 (High) -DC-Jul2026-947

Listen to this Post

How CVE-2026-45414 Works

The vulnerability arises from a fundamental flaw in how Decidim, a participatory democracy framework, handles JSON Web Token (JWT) authentication across multiple organizations (tenants) hosted on the same platform.
Decidim supports a multi-tenant architecture where different organizations can operate on the same instance. The current host header selects the organization context, but the JWT-backed API authentication is not sufficiently bound to that specific host organization. This creates a trust-boundary violation.
When a JWT is issued to a user in Organization 1 (Org 1), it is intended to authenticate that user within Org 1’s context. However, due to the missing host-organization binding, this JWT can be replayed against Organization 2’s (Org 2) API endpoint. The Decidim API, processing the request in Org 2’s context, incorrectly trusts the authenticated principal from Org 1.
An attacker with a valid JWT from Org 1 can modify the `Host` header in their API requests to point to Org 2’s domain (e.g., org2.localhost:3001). The API, failing to verify that the JWT’s intended audience matches the requested organization, accepts the token and processes the request.
This allows the attacker to access sensitive, admin-only GraphQL fields, such as participantDetails, for participants in Org 2. Furthermore, the same flaw allows an Org 1 API user to replay their JWT to Org 2’s API to read personal data of Org 2 participants and even reach Org 2’s `proposal.answer` mutation path. The vulnerability is limited to JWTs generated for administrative or API-user accounts; participant-generated JWTs were found to be insufficient to trigger the flaw.

DailyCVE Form:

Platform: Decidim
Version: <0.31.5, <0.32.0
Vulnerability: JWT Org Replay
Severity: High
date: 2026-07-13

Prediction: 2026-07-13 (Patched)

What Undercode Say:

The vulnerability’s root cause is a classic case of Broken Access Control (OWASP A01:2021). The API gateway or authentication middleware fails to enforce that the JWT’s audience (aud claim) or a similar mechanism is validated against the target organization’s context. The trust boundary is incorrectly extended across tenants.

Analytics (Bash Commands & Codes)

The following conceptual examples illustrate the attack vector. Note that actual exploitation requires a valid administrative JWT.

1. Simulating the Replay Attack with `curl`

This command demonstrates replaying a JWT obtained from Org 1 against Org 2’s API.

JWT obtained from Organization 1
JWT_TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwib3JnYW5pemF0aW9uIjoiMSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMn0.4iYa9f7Jp0FQ6M6n4jK7xL8vZ9wQ1rT2yU3iO5pA7sE"
Replay the JWT against Organization 2's API to access participant details
curl -X GET "https://org2.decidim.local/api/graphql" \
-H "Host: org2.decidim.local" \
-H "Authorization: Bearer $JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"query":"query { participantDetails(id: \"123\") { name email } }"}'

2. Conceptual Patch Verification (Decidim::ApiAuth)

The patches (decidim/decidim16673 and 16756) likely introduce organization context validation within the `Decidim::ApiAuth` module. A conceptual fix involves checking the JWT’s claims against the current organization.

Conceptual patch within Decidim::ApiAuth
module Decidim
module ApiAuth
class << self
def authenticate!(request)
token = extract_token(request)
... decode token ...
PATCH: Validate organization context
current_organization = request.env["decidim.current_organization"]
if payload["organization_id"] != current_organization.id
raise Decidim::ApiAuth::InvalidOrganizationError, "JWT organization mismatch"
end
... proceed with authentication ...
end
end
end
end

Exploit:

An attacker with a JWT issued for Organization 1 can exploit this vulnerability by replaying the same token against the API endpoint of Organization 2. The steps are:
1. Obtain a JWT: Acquire a valid JWT token. This could be an API key provided by the system administrator for Org 1 or the JWT shown in the response when logged in as an admin of Org 1.
2. Replay the Token: Use this JWT to make an API request to Org 2’s endpoint. The critical step is to change the `Host` header to that of Org 2 (e.g., org2.localhost:3001).
3. Access Sensitive Data: The API, failing to bind the token to Org 1, processes the request in Org 2’s context. The attacker can then query admin-only GraphQL fields like `participantDetails` to exfiltrate sensitive personal data of Org 2’s participants. They could also potentially perform unauthorized actions like mutating proposals via the `proposal.answer` path.

Protection:

Protecting against CVE-2026-45414 involves a combination of immediate workarounds and applying official patches:
Apply Patches: The definitive fix is to upgrade to the patched versions of Decidim. The vulnerability is fixed in versions 0.31.5 and 0.32.0. Administrators should update their instances immediately.
Workaround – Disable JWT: As a temporary measure, system administrators can disable JWT credentials entirely via the system panel at the `/system` endpoint. This will prevent the creation and use of JWT tokens, mitigating the attack vector.
Network Restriction: As an additional layer of defense, restrict access to the `/api` endpoint to only authenticated and trusted users. This can be done through custom code or by installing a third-party module like Decidim::Apiauth.

Impact:

The impact of this vulnerability is severe due to the multi-tenant nature of Decidim deployments.
Data Breach: An attacker can read sensitive, admin-only participant details from other organizations, leading to a significant privacy breach and potential legal consequences.
Unauthorized Data Manipulation: The ability to reach another organization’s `proposal.answer` mutation path allows an attacker to tamper with proposals, undermining the integrity of participatory processes in the targeted organization.
Trust Boundary Violation: The vulnerability completely breaks the trust boundary between different organizations hosted on the same Decidim instance, exposing all tenants to risk from any single compromised administrative account.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top