CVE-2026-45414 is a broken-access-control flaw in Decidim (a Ruby-based citizen participation platform) where a JWT or API key issued for one organization tenant is accepted by a completely different tenant simply by swapping the Host header, letting an Org 1 principal read Org 2's admin-only GraphQL participantDetails field and reach the proposal.answer mutation. There is no EPSS score, no CISA KEV listing, and no public exploit or scanner template yet, but the CVSS 8.5 (AV:N/AC:L/PR:L/S:C/C:H) reflects that exploitation only requires a valid JWT from any one tenant and a trivial host-header change — no social engineering, no AI-specific tradecraft. The package carries 487 downstream dependents and a mediocre 6.8/10 OpenSSF Scorecard, so any multi-tenant Decidim deployment (common for municipal/government participation portals) is exposed to cross-customer data leakage until patched. Action: upgrade to Decidim 0.31.5 immediately, or as an interim workaround disable JWT credentials in the system panel (/system); audit API logs for requests where the Host header organization does not match the JWT's issuing organization.
What is the risk?
High severity (CVSS 8.5) but not currently mass-exploitable: the attacker needs a legitimate JWT or API key from at least one tenant (PR:L) before pivoting, which limits this to insiders, disgruntled participants, or anyone who has ever signed up on any Decidim-hosted org — a low bar in an open participation platform where self-registration is typical. Attack complexity is low (AC:L) and no user interaction is required, and the scope is changed (S:C), meaning a compromise in one tenant's trust boundary directly breaches another's. Confidentiality impact is high (personal participant data, admin-only fields); integrity impact is limited (one mutation path, proposal.answer); availability is unaffected. No EPSS/KEV/exploit-in-the-wild signal exists yet, so this reads as a disclosed-but-not-weaponized bug — patch before it becomes one, especially given multi-tenant SaaS deployments are the exact target profile.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Panel | rubygems | < 0.31.5 | 0.31.5 |
Do you use Panel? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade to Decidim 0.31.5 or later (patches: decidim/decidim PR #16673 and #16756). 2) Until patched, disable JWT-based API credentials via the system admin panel (/system) as an interim workaround — this closes the API-user replay path but confirm impact on legitimate integrations first. 3) Detection: review API access logs for JWTs whose embedded organization claim does not match the Host header's resolved organization; flag any successful participantDetails queries or proposal.answer mutations originating from cross-tenant JWTs. 4) Post-patch, verify JWT validation now binds the token to the resolving host organization, and re-test with a token issued on Org 1 against Org 2's API host. 5) Rotate any JWTs/API keys that may have been used for cross-tenant probing prior to patching.
How is it classified?
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-45414?
CVE-2026-45414 is a broken-access-control flaw in Decidim (a Ruby-based citizen participation platform) where a JWT or API key issued for one organization tenant is accepted by a completely different tenant simply by swapping the Host header, letting an Org 1 principal read Org 2's admin-only GraphQL participantDetails field and reach the proposal.answer mutation. There is no EPSS score, no CISA KEV listing, and no public exploit or scanner template yet, but the CVSS 8.5 (AV:N/AC:L/PR:L/S:C/C:H) reflects that exploitation only requires a valid JWT from any one tenant and a trivial host-header change — no social engineering, no AI-specific tradecraft. The package carries 487 downstream dependents and a mediocre 6.8/10 OpenSSF Scorecard, so any multi-tenant Decidim deployment (common for municipal/government participation portals) is exposed to cross-customer data leakage until patched. Action: upgrade to Decidim 0.31.5 immediately, or as an interim workaround disable JWT credentials in the system panel (/system); audit API logs for requests where the Host header organization does not match the JWT's issuing organization.
Is CVE-2026-45414 actively exploited?
No confirmed active exploitation of CVE-2026-45414 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45414?
1) Upgrade to Decidim 0.31.5 or later (patches: decidim/decidim PR #16673 and #16756). 2) Until patched, disable JWT-based API credentials via the system admin panel (/system) as an interim workaround — this closes the API-user replay path but confirm impact on legitimate integrations first. 3) Detection: review API access logs for JWTs whose embedded organization claim does not match the Host header's resolved organization; flag any successful participantDetails queries or proposal.answer mutations originating from cross-tenant JWTs. 4) Post-patch, verify JWT validation now binds the token to the resolving host organization, and re-test with a token issued on Org 1 against Org 2's API host. 5) Rotate any JWTs/API keys that may have been used for cross-tenant probing prior to patching.
What is the CVSS score for CVE-2026-45414?
CVE-2026-45414 has a CVSS v3.1 base score of 8.5 (HIGH).
What are the technical details?
Original Advisory
## Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's `proposal.answer` mutation path. ## Technical description The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1. Reproduction steps: 1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin. <img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" /> 2. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant `org2.localhost:3001` <img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" /> Note that using a participant-generated JWT did not allow showing these results. ### Impact A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization. ### Patches See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756 ### Workarounds Disable JWT credentials on system panel (`/system`) ### References OWASP A01:2021 Broken Access Control ### Credits This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).
Exploitation Scenario
An attacker registers as a regular participant (or obtains a system-admin-issued API key) on Org 1's Decidim instance and either logs in to capture the JWT shown in the authenticated response or generates one via the API key. They then send that same JWT in a request to Org 2's API endpoint (e.g., org2.localhost or org2's production host), simply changing the Host header. Because the API resolves the organization context from the Host header but does not verify the JWT was issued for that same organization, the request succeeds — returning Org 2's admin-only participantDetails GraphQL field (exposing PII) and, for API-user tokens, allowing the attacker to invoke Org 2's proposal.answer mutation, tampering with another organization's participatory process data.
Weaknesses (CWE)
CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
- [Architecture and Design] Use an authentication framework or library such as the OWASP ESAPI Authentication feature.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2024-13152 10.0 Mobuy Panel: SQLi allows unauthenticated DB takeover
Same package: panel CVE-2026-47744 9.9 Shopper: RBAC bypass allows full admin takeover
Same package: panel CVE-2026-54158 9.9 SiYuan: XSS→RCE via workspace sync in Electron app
Same package: panel CVE-2024-13147 9.8 B2B Login Panel: SQLi enables unauthenticated DB access
Same package: panel CVE-2024-5960 9.8 Panel: plaintext credential storage enables domain compromise
Same package: panel