API Access Vulnerability in Decidim Framework Affects Public Resources
CVE-2026-40870

7.5HIGH

Key Information:

Vendor: Decidim
Status: Decidim
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40870?

The Decidim framework contains an improper access control vulnerability in its API that allows unsecured access to the root-level commentable field. This flaw permits unauthenticated users to access all commentable resources, putting potentially sensitive information at risk, particularly in non-public environments. If the API endpoint is left unsecured, instances running vulnerable versions of Decidim may expose data to unauthorized users. The remediation involves updating to versions 0.30.5 or 0.31.1, which address this vulnerability. Alternatively, securing the API with authentication can limit exposure, although this may require custom code or a third-party module. Organizations are encouraged to implement these fixes promptly to safeguard their platforms.

Affected Version(s)

decidim > 0.31.0.rc1, < 0.31.1 > 0.31.0.rc1, 0.31.1

decidim >= 0.0.1, < 0.30.5 < 0.0.1, 0.30.5

References

https://github.com/decidim/decidim/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40870 Data

JSON