Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user auth…
| CVE ID | CVE-2026-45414 |
| Vendor | rubygems |
| Affected Product | decidim |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1. Reproduction steps: 1. Use an API key provided by the system administrator that is assigned t
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.