HomeCVE Intelligence › CVE-2026-45414
CVSS 8.5 HIGH Vulnerability

CVE-2026-45414: Decidim: JWT-backed authentication can be replayed across organizations

Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user auth…

8.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-45414
Vendorrubygems
Affected Productdecidim
Vulnerability TypeVulnerability
CVSS Score8.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's proposal.answer mutation path.

Technical description The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to

that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1. Reproduction steps: 1. Use an API key provided by the system administrator that is assigned t

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45414 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence