If your city, university, or government agency asked you to weigh in on a budget decision, a new park, or a local policy online — and they used a platform called Decidim — a stranger on the internet could have been reading every comment you ever posted, without logging in, without permission, and without leaving a trace.
Who's Affected — and the Scale Is Bigger Than You Think
Decidim isn't a household name, but it quietly powers civic participation for hundreds of cities and public institutions across Europe, Latin America, and beyond. Barcelona built its entire digital democracy infrastructure on it. Helsinki uses it. So does the Finnish government, Mexico City, and dozens of universities and NGOs. Estimates put the number of active Decidim installations in the thousands, with millions of registered citizens having used the platform to participate in public consultations, budget votes, and community debates.
The vulnerability, tracked as CVE-2026-40870 and rated HIGH severity with a CVSS score of 7.5, has technically existed since version 0.0.1 — meaning it has been present in every single release of Decidim since the project began. Any installation that hadn't manually locked down its API endpoint was potentially exposed.
Here's What an Attacker Could Actually Do
Imagine your city launches an online consultation asking residents to comment on a proposed housing development. You log in, post your thoughts, and assume your participation is recorded in a secure civic system. Behind the scenes, Decidim has an open "back door" — a data query interface that was never meant to be a secret, but was absolutely meant to be controlled. The problem is that this interface had no bouncer. Anyone — a political operative, a nosy competitor, a foreign intelligence service, a researcher with questionable ethics — could walk up to that back door, ask it to hand over every comment ever posted on the platform, and it would comply without asking for so much as a username or password.
The attacker doesn't need to hack anything in the traditional sense. There's no lock to pick. They simply need to know the address of the API endpoint — which, because it follows a predictable default pattern, is trivially discoverable. From there, they can silently hoover up names, comments, participation histories, and engagement patterns from every public consultation on the platform. In a political context, that kind of data is gold: it can reveal who opposes a development project, who organized a petition, or which neighborhoods are most engaged on a sensitive issue.
The risk isn't just privacy embarrassment. In some political environments, being publicly identified as an opponent of a government project — or as an activist on a contentious issue — carries real personal risk. Civic platforms carry an implicit promise of safety and trust. When that promise is broken by a flaw this fundamental, it doesn't just expose data; it can chill future participation entirely.
The Technical Detail That Makes This Worse
For the security professionals in the room: the vulnerability lives in Decidim's GraphQL API, specifically in the root-level commentable field resolver. GraphQL, unlike traditional REST APIs, lets a caller traverse object relationships and pull nested data in a single query — which is powerful for legitimate use, and catastrophic when authorization checks are skipped. The commentable field was designed to return any "commentable resource" on the platform (proposals, debates, participatory budget line items, and more), but it does so without validating whether the requesting party has permission to view those resources. This is a textbook Broken Object Level Authorization (BOLA) flaw — the number-one vulnerability class in the OWASP API Security Top 10 — applied to a GraphQL resolver with platform-wide scope.
Has This Been Exploited? What Do We Know?
As of publication, no active exploitation has been confirmed in the wild, and there are no known victim campaigns tied to this CVE. But "no confirmed exploitation" is not the same as "no exploitation." This type of passive data-harvesting attack leaves almost no forensic trace — there are no crashed servers, no ransomware notes, no alarms going off. An attacker could have quietly queried a city's entire participation history and walked away with a clean dataset, and the administrators would likely never know.
The flaw was responsibly disclosed, and the Decidim security team has responded with patches. Security teams should treat the lack of confirmed exploitation with appropriate skepticism rather than reassurance.
What You Need to Do Right Now
Whether you're a system administrator, a city IT manager, or a developer maintaining a Decidim instance for a civic organization, here are the three steps you need to take — in order of urgency:
-
Patch immediately. Update to Decidim 0.30.5 (for the 0.30.x branch) or Decidim 0.31.1 (for the 0.31.x branch). These are the official patched releases. If you are running any version below these — including any version in the 0.28.x or 0.29.x range — you are vulnerable and no patch exists for your branch other than upgrading. Check your current version by running
bundle exec rails decidim:versionin your application directory. -
Lock down your
/apiendpoint immediately, even before patching. The official workaround is to restrict access to the/apiendpoint to authenticated users only. This can be done at the web server or reverse proxy level (nginx, Apache, or your load balancer) by requiring authentication before requests reach the application layer. The Decidim project also references community gems that can enforce this restriction at the application level if you need a faster, lower-risk interim measure. -
Audit your logs for unusual API query patterns. Even though active exploitation hasn't been confirmed, review your web server and application logs for high-volume or unusual requests to
/api— particularly large GraphQL queries or requests from unfamiliar IP ranges. Export and preserve those logs now, before they rotate. If you find evidence of suspicious access, treat it as a potential data incident and engage your legal and communications teams, as data protection regulations in the EU (GDPR) and other jurisdictions may require breach notification.
The Bigger Picture
This vulnerability is a reminder that civic technology deserves the same security scrutiny as financial technology or healthcare software. The data flowing through platforms like Decidim — political opinions, community organizing activity, identity tied to public speech — is deeply sensitive. The fact that a flaw of this severity existed since version 0.0.1 points to a systemic gap: authorization review for API endpoints needs to be a first-class requirement in civic tech projects, not an afterthought discovered years into production deployment.
Decidim is an open-source project maintained by a relatively small team doing genuinely important work. The speed of their patch response deserves credit. But as these platforms scale to serve millions of citizens, the security investment needs to scale with them.
CVE: CVE-2026-40870 | CVSS: 7.5 (HIGH) | Patched versions: 0.30.5, 0.31.1 | Exploitation status: No confirmed active exploitation