Updated advisory posts against rubysec/ruby-advisory-db@f0d5835

Author: jasnow

advisories/_posts/2026-04-14-CVE-2026-40869.md

@@ -0,0 +1,52 @@
+---
+layout: advisory
+title: 'CVE-2026-40869 (decidim-core): Decidim amendments can be accepted or rejected
+  by anyone'
+comments: false
+categories:
+- decidim-core
+advisory:
+  gem: decidim-core
+  cve: 2026-40869
+  ghsa: w5xj-99cg-rccm
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
+  title: Decidim amendments can be accepted or rejected by anyone
+  date: 2026-04-14
+  description: |-
+    ### Impact
+
+    The vulnerability allows any registered and authenticated user to
+    accept or reject any amendments. The impact is on any users who
+    have created proposals where the amendments feature is enabled.
+    This also elevates the user accepting the amendment as the author
+    of the original proposal as people amending proposals are provided
+    coauthorship on the coauthorable resources.
+
+    The only check done when accepting or rejecting amendments is whether
+    the amendment reactions are enabled for the component:
+    -  https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
+
+    The permission checks have been changed at 1b99136 which was
+    introduced in released version 0.19.0. I have not investigated
+    whether prior versions are also affected.
+
+    ### Patches
+
+    Not available
+
+    ### Workarounds
+
+    Disable amendment reactions for the amendable component (e.g. proposals).
+  cvss_v3: 7.5
+  unaffected_versions:
+  - "< 0.19.0"
+  patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-40869
+    - https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
+    - https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9
+    - https://github.com/advisories/GHSA-w5xj-99cg-rccm
+---

advisories/_posts/2026-04-14-CVE-2026-40870.md

@@ -0,0 +1,104 @@
+---
+layout: advisory
+title: 'CVE-2026-40870 (decidim-comments): Decidim''s comments API allows access to
+  all commentable resources'
+comments: false
+categories:
+- decidim-comments
+advisory:
+  gem: decidim-comments
+  cve: 2026-40870
+  ghsa: ghmh-q25g-gxxx
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+  title: Decidim's comments API allows access to all commentable resources
+  date: 2026-04-14
+  description: |-
+    ### Impact
+
+    The root level `commentable` field in the API allows access to all
+    commentable resources within the platform, without any permission
+    checks. All Decidim instances are impacted that have not secured
+    the `/api` endpoint. The `/api` endpoint is publicly available
+    with the default configuration.
+
+    ### Patches
+
+    Not available
+
+    ### Workarounds
+
+    To mitigate the issue, you can limit the scope to only authenticated
+    users by limiting access to the `/api` endpoint. This would require
+    custom code or installing the 3rd party module `Decidim::Apiauth`.
+
+    With custom code, the `/api` endpoint can be limited to only
+    authenticated users with the following code (needs to run during
+    application initialization):
+
+    ```ruby
+    # Within your application
+    # config/initializers/limit_api_access.rb
+
+    module LimitApiAccess
+      extend ActiveSupport::Concern
+
+      included do
+        prepend_before_action do |controller|
+          unless controller.send(:user_signed_in?)
+            render plain: I18n.t("actions.login_before_access",
+              scope: "decidim.core"), status: :unauthorized
+          end
+        end
+      end
+    end
+
+    Rails.application.config.to_prepare do
+      Decidim::Api::ApplicationController.include(LimitApiAccess)
+    end
+    ```
+
+    Please note that this would only disable public access to the API
+    and all authenticated users would be still able to exploit the
+    vulnerability. This may be sufficient for some installations,
+    but not for all.
+
+    Another workaround is to limit the availability of the `/api`
+    endpoint to only trusted ranges of IPs that need to access the
+    API. The following Nginx configuration would help limiting the
+    API access to only specific IPs:
+
+    ```
+    location /api {
+      allow 192.168.1.100;
+      allow 192.168.1.101;
+      deny all;
+    }
+    ```
+
+    The same configuration can be also used without the `allow`
+    statements to disable all traffic to the the `/api` endpoint.
+
+    When considering a workaround and the seriousness of the vulnerability,
+    please consider the nature of the platform. If the platform is primarily
+    serving public data, this vulnerability is not serious by its nature.
+    If the platform is protecting some resources, e.g. inside private
+    participation spaces, the vulnerability may expose some data to
+    the attacker that is not meant public.
+
+    If you have enabled the organization setting "Force users to
+    authenticate before access organization", the scope of this
+    vulnerability is limited to the users who are allowed to log in
+    to the Decidim platform. This setting was introduced in version
+    0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
+  cvss_v3: 7.5
+  unaffected_versions:
+  - "< 0.0.1"
+  patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-40870
+    - https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+    - https://github.com/advisories/GHSA-ghmh-q25g-gxxx
+---