CVE-2026-45414: Decidim: JWT replay bypasses multi-tenant isolation

GHSA-r3v7-5x4c-c69q HIGH
Published July 13, 2026
CISO Take

CVE-2026-45414 is a broken-access-control flaw in Decidim (a Ruby-based citizen participation platform) where a JWT or API key issued for one organization tenant is accepted by a completely different tenant simply by swapping the Host header, letting an Org 1 principal read Org 2's admin-only GraphQL participantDetails field and reach the proposal.answer mutation. There is no EPSS score, no CISA KEV listing, and no public exploit or scanner template yet, but the CVSS 8.5 (AV:N/AC:L/PR:L/S:C/C:H) reflects that exploitation only requires a valid JWT from any one tenant and a trivial host-header change — no social engineering, no AI-specific tradecraft. The package carries 487 downstream dependents and a mediocre 6.8/10 OpenSSF Scorecard, so any multi-tenant Decidim deployment (common for municipal/government participation portals) is exposed to cross-customer data leakage until patched. Action: upgrade to Decidim 0.31.5 immediately, or as an interim workaround disable JWT credentials in the system panel (/system); audit API logs for requests where the Host header organization does not match the JWT's issuing organization.

Sources: NVD GitHub Advisory OpenSSF

What is the risk?

High severity (CVSS 8.5) but not currently mass-exploitable: the attacker needs a legitimate JWT or API key from at least one tenant (PR:L) before pivoting, which limits this to insiders, disgruntled participants, or anyone who has ever signed up on any Decidim-hosted org — a low bar in an open participation platform where self-registration is typical. Attack complexity is low (AC:L) and no user interaction is required, and the scope is changed (S:C), meaning a compromise in one tenant's trust boundary directly breaches another's. Confidentiality impact is high (personal participant data, admin-only fields); integrity impact is limited (one mutation path, proposal.answer); availability is unaffected. No EPSS/KEV/exploit-in-the-wild signal exists yet, so this reads as a disclosed-but-not-weaponized bug — patch before it becomes one, especially given multi-tenant SaaS deployments are the exact target profile.

How does the attack unfold?

Initial Access
Attacker obtains a valid JWT for Org 1 either via self-registration/login or a system-admin-issued API key.
Trust Boundary Bypass
Attacker replays the Org 1 JWT against the Org 2 API host by changing only the Host header, since the JWT is not bound to its issuing organization.
Unauthorized Data Access
The Org 2 API accepts the cross-tenant JWT and returns the admin-only GraphQL participantDetails field, exposing Org 2 participant PII.
Impact
With API-user tokens, the attacker can additionally reach Org 2's proposal.answer mutation, tampering with another organization's participatory process data.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Panel rubygems < 0.31.5 0.31.5
5.7K OpenSSF 6.8 487 dependents Pushed 2d ago 62% patched ~10d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I Low
A None

What should I do?

1 step
  1. 1) Upgrade to Decidim 0.31.5 or later (patches: decidim/decidim PR #16673 and #16756). 2) Until patched, disable JWT-based API credentials via the system admin panel (/system) as an interim workaround — this closes the API-user replay path but confirm impact on legitimate integrations first. 3) Detection: review API access logs for JWTs whose embedded organization claim does not match the Host header's resolved organization; flag any successful participantDetails queries or proposal.answer mutations originating from cross-tenant JWTs. 4) Post-patch, verify JWT validation now binds the token to the resolving host organization, and re-test with a token issued on Org 1 against Org 2's API host. 5) Rotate any JWTs/API keys that may have been used for cross-tenant probing prior to patching.

How is it classified?

Auth Bypass Privacy Violation Data Leakage API Framework

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-45414?

CVE-2026-45414 is a broken-access-control flaw in Decidim (a Ruby-based citizen participation platform) where a JWT or API key issued for one organization tenant is accepted by a completely different tenant simply by swapping the Host header, letting an Org 1 principal read Org 2's admin-only GraphQL participantDetails field and reach the proposal.answer mutation. There is no EPSS score, no CISA KEV listing, and no public exploit or scanner template yet, but the CVSS 8.5 (AV:N/AC:L/PR:L/S:C/C:H) reflects that exploitation only requires a valid JWT from any one tenant and a trivial host-header change — no social engineering, no AI-specific tradecraft. The package carries 487 downstream dependents and a mediocre 6.8/10 OpenSSF Scorecard, so any multi-tenant Decidim deployment (common for municipal/government participation portals) is exposed to cross-customer data leakage until patched. Action: upgrade to Decidim 0.31.5 immediately, or as an interim workaround disable JWT credentials in the system panel (/system); audit API logs for requests where the Host header organization does not match the JWT's issuing organization.

Is CVE-2026-45414 actively exploited?

No confirmed active exploitation of CVE-2026-45414 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45414?

1) Upgrade to Decidim 0.31.5 or later (patches: decidim/decidim PR #16673 and #16756). 2) Until patched, disable JWT-based API credentials via the system admin panel (/system) as an interim workaround — this closes the API-user replay path but confirm impact on legitimate integrations first. 3) Detection: review API access logs for JWTs whose embedded organization claim does not match the Host header's resolved organization; flag any successful participantDetails queries or proposal.answer mutations originating from cross-tenant JWTs. 4) Post-patch, verify JWT validation now binds the token to the resolving host organization, and re-test with a token issued on Org 1 against Org 2's API host. 5) Rotate any JWTs/API keys that may have been used for cross-tenant probing prior to patching.

What is the CVSS score for CVE-2026-45414?

CVE-2026-45414 has a CVSS v3.1 base score of 8.5 (HIGH).

What are the technical details?

Original Advisory

## Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's `proposal.answer` mutation path. ## Technical description The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1. Reproduction steps: 1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin. <img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" /> 2. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant `org2.localhost:3001` <img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" /> Note that using a participant-generated JWT did not allow showing these results. ### Impact A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization. ### Patches See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756 ### Workarounds Disable JWT credentials on system panel (`/system`) ### References OWASP A01:2021 Broken Access Control ### Credits This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).

Exploitation Scenario

An attacker registers as a regular participant (or obtains a system-admin-issued API key) on Org 1's Decidim instance and either logs in to capture the JWT shown in the authenticated response or generates one via the API key. They then send that same JWT in a request to Org 2's API endpoint (e.g., org2.localhost or org2's production host), simply changing the Host header. Because the API resolves the organization context from the Host header but does not verify the JWT was issued for that same organization, the request succeeds — returning Org 2's admin-only participantDetails GraphQL field (exposing PII) and, for API-user tokens, allowing the attacker to invoke Org 2's proposal.answer mutation, tampering with another organization's participatory process data.

Weaknesses (CWE)

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

  • [Architecture and Design] Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Timeline

Published
July 13, 2026
Last Modified
July 13, 2026
First Seen
July 13, 2026

Related Vulnerabilities