CVE-2026-40870
CVE-2026-40870 is a high-severity vulnerability with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-24252
- Weakness: CWE-862
- Published:
- Last modified:
Description
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
Frequently asked questions
- What is CVE-2026-40870?
- Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
- How severe is CVE-2026-40870?
- CVE-2026-40870 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-40870 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-40870?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-40870 have an EU (EUVD) identifier?
- Yes. CVE-2026-40870 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-24252.
- When was CVE-2026-40870 published?
- CVE-2026-40870 was published on 2026-04-21 and last updated on 2026-06-17.
References
Other CWE-862 (Missing Authorization) vulnerabilities
- CVE-2026-0092 — Critical (CVSS 10.0): In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could…
- CVE-2026-33712 — Critical (CVSS 10.0): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
- CVE-2026-2031 — Critical (CVSS 10.0): An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration…
- CVE-2026-34976 — Critical (CVSS 10.0): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing…
- CVE-2025-30416 — Critical (CVSS 10.0): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis…
- CVE-2025-45854 — Critical (CVSS 10.0): /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
Browse all CWE-862 (Missing Authorization) vulnerabilities →