cvedb.io
CVE-2026-40869
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-21T20:17:00.207 · Last modified 2026-06-17T10:45:47.800

Summary

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).

Affected products

decidim — decidim

Does this affect you?

Add your gear to cvedb and we'll alert you only when decidim ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.