CVE-2026-40870: Decidim's comments API allows access to all commentable resources
(updated )
The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration.
References
- github.com/advisories/GHSA-ghmh-q25g-gxxx
- github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-api/CVE-2026-40870.yml
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-comments/CVE-2026-40870.yml
- nvd.nist.gov/vuln/detail/CVE-2026-40870
Code Behaviors & Features
Detect and mitigate CVE-2026-40870 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →