Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Decidim's comments API allows access to all commentable resources
GHSA-ghmh-q25g-gxxx
Summary
### Impact
The root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configurati...
What to do
- Update decidim-comments to version 0.31.1.
- Update decidim-api to version 0.31.1.
- Update decidim-comments to version 0.30.5.
- Update decidim-api to version 0.30.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | decidim-comments | > 0.31.0.rc1 , <= 0.31.1 | 0.31.1 |
| – | decidim-api | > 0.31.0.rc1 , <= 0.31.1 | 0.31.1 |
| – | decidim-comments | > 0.0.1 , <= 0.30.5 | 0.30.5 |
| – | decidim-api | > 0.0.1 , <= 0.30.5 | 0.30.5 |
Original title
Decidim's comments API allows access to all commentable resources
Original description
### Impact
The root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration.
### Patches
Not available
### Workarounds
To mitigate the issue, you can limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`.
With custom code, the `/api` endpoint can be limited to only authenticated users with the following code (needs to run during application initialization):
```ruby
# Within your application
# config/initializers/limit_api_access.rb
module LimitApiAccess
extend ActiveSupport::Concern
included do
prepend_before_action do |controller|
unless controller.send(:user_signed_in?)
render plain: I18n.t("actions.login_before_access", scope: "decidim.core"), status: :unauthorized
end
end
end
end
Rails.application.config.to_prepare do
Decidim::Api::ApplicationController.include(LimitApiAccess)
end
```
Please note that this would only disable public access to the API and all authenticated users would be still able to exploit the vulnerability. This may be sufficient for some installations, but not for all.
Another workaround is to limit the availability of the `/api` endpoint to only trusted ranges of IPs that need to access the API. The following Nginx configuration would help limiting the API access to only specific IPs:
```
location /api {
allow 192.168.1.100;
allow 192.168.1.101;
deny all;
}
```
The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint.
When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public.
If you have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
The root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configuration.
### Patches
Not available
### Workarounds
To mitigate the issue, you can limit the scope to only authenticated users by limiting access to the `/api` endpoint. This would require custom code or installing the 3rd party module `Decidim::Apiauth`.
With custom code, the `/api` endpoint can be limited to only authenticated users with the following code (needs to run during application initialization):
```ruby
# Within your application
# config/initializers/limit_api_access.rb
module LimitApiAccess
extend ActiveSupport::Concern
included do
prepend_before_action do |controller|
unless controller.send(:user_signed_in?)
render plain: I18n.t("actions.login_before_access", scope: "decidim.core"), status: :unauthorized
end
end
end
end
Rails.application.config.to_prepare do
Decidim::Api::ApplicationController.include(LimitApiAccess)
end
```
Please note that this would only disable public access to the API and all authenticated users would be still able to exploit the vulnerability. This may be sufficient for some installations, but not for all.
Another workaround is to limit the availability of the `/api` endpoint to only trusted ranges of IPs that need to access the API. The following Nginx configuration would help limiting the API access to only specific IPs:
```
location /api {
allow 192.168.1.100;
allow 192.168.1.101;
deny all;
}
```
The same configuration can be also used without the `allow` statements to disable all traffic to the the `/api` endpoint.
When considering a workaround and the seriousness of the vulnerability, please consider the nature of the platform. If the platform is primarily serving public data, this vulnerability is not serious by its nature. If the platform is protecting some resources, e.g. inside private participation spaces, the vulnerability may expose some data to the attacker that is not meant public.
If you have enabled the organization setting "Force users to authenticate before access organization", the scope of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-862
Missing Authorization
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026