Imagine submitting a citizen proposal to your city council — only to discover a stranger has quietly approved changes to it, rewritten its meaning, and had their name added as co-author, all without your knowledge or consent.
Who Is at Risk — and How Big Is This?
Decidim powers the civic backbone of cities and governments across the world. Barcelona uses it. Helsinki uses it. New York City has piloted it. The Finnish government uses it. More than 400 organizations across 50+ countries run participatory budgeting, policy consultations, and citizen assemblies on Decidim's platform. That means real votes, real budget allocations, and real policy decisions hang on the integrity of proposals submitted through it.
Any registered user on any of those platforms — someone who simply created a free account — could exploit this flaw right now, before administrators even know there's a problem. The affected versions span from 0.19.0 all the way through to 0.30.4 and 0.30.0–0.31.0, meaning most installations running anything older than this month's patch are vulnerable.
What an Attacker Can Actually Do
Here's the scenario in plain terms. On Decidim, citizens can submit proposals — say, "Build a new bike lane on Main Street" — and other users can suggest amendments, small edits or changes to that proposal. Think of it like a Wikipedia-style suggestion system, but for real civic decisions. The proposal's original author is supposed to be the only person who can approve or reject those suggested changes. That gatekeeper role is the entire point of the system.
This vulnerability blows that gate wide open. Because of a failure in the platform's permission checks, any logged-in user — not just the proposal author — can approve or reject amendments on any proposal, by anyone, across the entire platform. An activist, a bad-faith political opponent, or even a coordinated group of accounts could accept amendments that dramatically alter a proposal's intent, effectively putting words in another citizen's mouth on official government record.
It gets worse. Decidim's co-authorship system automatically elevates the person who submitted an amendment to co-author status once that amendment is accepted. That means an attacker who accepts their own amendment on your proposal doesn't just change what your proposal says — they get their name attached to it as a co-author in the official record. In a civic democracy platform, where your name and your stated position are the point, that's a form of identity and reputation attack baked directly into the exploit.
The Technical Detail Security Teams Need
The root cause is an authorization bypass in the amendment reaction controller — the server-side logic that handles accept/reject actions on amendable components. The platform fails to verify that the user triggering the action is the owner of the amendable resource before executing the state change. This is a classic broken object-level authorization (BOLA) pattern, also known as IDOR, operating on an authenticated attack surface. The vulnerability is tracked as CVE-2026-40869 and carries a CVSS score of 7.5 (HIGH). Exploitation requires only a valid session — no admin access, no special roles, no social engineering beyond account registration.
Real-World Context: Who Found It, Who's at Risk
As of publication, no active exploitation has been confirmed in the wild, and no specific victims or campaigns have been publicly identified. The vulnerability was responsibly disclosed through Decidim's security process, and the project's maintainers moved to patch it. Credit for discovery has not been attributed to an external threat actor, suggesting this came through responsible disclosure rather than caught-in-the-wild abuse — a relatively fortunate outcome given how long the vulnerable version window stretches back to version 0.19.0.
However, the lack of confirmed exploitation is not a reason to wait. This flaw requires zero technical sophistication to weaponize. Any person with a grudge, a political agenda, or an interest in corrupting a specific civic process could read this disclosure and begin probing unpatched installations today. Democracy platforms attract motivated adversaries — from organized political interference campaigns to individual bad actors trying to game local budget decisions.
What To Do Right Now
Whether you're an administrator of a Decidim installation or a citizen who participates on one, here are three concrete steps:
- Upgrade immediately to Decidim 0.30.5 or 0.31.1. These are the two versions that contain the official fix. If your installation is on the 0.30.x branch, target 0.30.5. If you're on 0.31.x, target 0.31.1. Check your current version in the Decidim admin panel under Settings → About. If you're below either of those numbers and running version 0.19.0 or higher, you are vulnerable.
- Apply the workaround immediately if you cannot patch today. The Decidim team has confirmed that disabling amendment reactions for each amendable component in your platform's configuration will block exploitation of this specific flaw. Go to your component settings and turn off the amendments feature until the upgrade can be scheduled. Yes, this reduces platform functionality temporarily — but it closes the vulnerability window.
- Audit recent amendment activity on high-stakes proposals. If your platform has been running a vulnerable version, review the amendment logs on active proposals — particularly those tied to active votes, budget allocations, or policy consultations. Look for accepted amendments from users who are not the original proposal authors. Decidim's admin panel provides amendment history; use it. If you find suspicious activity, flag it for your legal or governance team, as altered civic records may have procedural or legal implications depending on your jurisdiction.
CVE-2026-40869 | CVSS 7.5 HIGH | Affects Decidim 0.19.0 through 0.30.4 and 0.31.0 | Fixed in 0.30.5, 0.31.1 | No active exploitation confirmed at time of publication.