Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Decidim: Anyone can accept or reject proposals
GHSA-w5xj-99cg-rccm
Summary
A security issue allows any registered user to accept or reject changes to proposals, potentially affecting the ownership and co-authorship of those proposals. This issue affects versions 0.19.0 and later of Decidim. To protect your site, disable amendment reactions for the affected components.
What to do
- Update decidim-core to version 0.31.1.
- Update decidim-core to version 0.30.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | decidim-core | > 0.31.0.rc1 , <= 0.31.1 | 0.31.1 |
| – | decidim-core | > 0.19.0 , <= 0.30.5 | 0.30.5 |
Original title
Decidim amendments can be accepted or rejected by anyone
Original description
### Impact
The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources.
The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component:
https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected.
### Patches
Not available
### Workarounds
Disable amendment reactions for the amendable component (e.g. proposals).
The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources.
The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component:
https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected.
### Patches
Not available
### Workarounds
Disable amendment reactions for the amendable component (e.g. proposals).
osv CVSS3.1
7.5
Vulnerability type
CWE-266
Incorrect Privilege Assignment
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026