SCA: security update for decidim-api, decidim-comments (GHSA-ghmh-q25g-gxxx)

high Tenable Self-Hosted Container Security Plugin ID 440361

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and
0.31.1, the root level `commentable` field in the API allows access to all commentable resources within
the platform, without any permission checks. All Decidim instances are impacted that have not secured the
`/api` endpoint. The `/api` endpoint is publicly available with the default configuration. Versions 0.30.5
and 0.31.1 fix the issue. As a workaround, limit the scope to only authenticated users by limiting access
to the `/api` endpoint. This would require custom code or installing the 3rd party module
`Decidim::Apiauth`. With custom code, the `/api` endpoint can be limited to only authenticated users. The
same configuration can be also used without the `allow` statements to disable all traffic to the the
`/api` endpoint. When considering a workaround and the seriousness of the vulnerability, please consider
the nature of the platform. If the platform is primarily serving public data, this vulnerability is not
serious by its nature. If the platform is protecting some resources, e.g. inside private participation
spaces, the vulnerability may expose some data to the attacker that is not meant public. For those who
have enabled the organization setting "Force users to authenticate before access organization", the scope
of this vulnerability is limited to the users who are allowed to log in to the Decidim platform. This
setting was introduced in version 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
(CVE-2026-40870)

Solution

Update the decidim-api library and its related packages to version 0.30.5 or later.

See Also

https://github.com/advisories/GHSA-ghmh-q25g-gxxx

Plugin Details

Severity: High

ID: 440361

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 6/8/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.23

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-40870

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-40870

cwe: CWE-862