|
| 1 | +--- |
| 2 | +gem: decidim-comments |
| 3 | +ghsa: ghmh-q25g-gxxx |
| 4 | +url: https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx |
| 5 | +title: Decidim's comments API allows access to all commentable resources |
| 6 | +date: 2026-04-14 |
| 7 | +description: | |
| 8 | + ### Impact |
| 9 | +
|
| 10 | + The root level `commentable` field in the API allows access to all |
| 11 | + commentable resources within the platform, without any permission |
| 12 | + checks. All Decidim instances are impacted that have not secured |
| 13 | + the `/api` endpoint. The `/api` endpoint is publicly available |
| 14 | + with the default configuration. |
| 15 | +
|
| 16 | + ### Patches |
| 17 | +
|
| 18 | + Not available |
| 19 | +
|
| 20 | + ### Workarounds |
| 21 | +
|
| 22 | + To mitigate the issue, you can limit the scope to only authenticated |
| 23 | + users by limiting access to the `/api` endpoint. This would require |
| 24 | + custom code or installing the 3rd party module `Decidim::Apiauth`. |
| 25 | +
|
| 26 | + With custom code, the `/api` endpoint can be limited to only |
| 27 | + authenticated users with the following code (needs to run during |
| 28 | + application initialization): |
| 29 | +
|
| 30 | + ```ruby |
| 31 | + # Within your application |
| 32 | + # config/initializers/limit_api_access.rb |
| 33 | +
|
| 34 | + module LimitApiAccess |
| 35 | + extend ActiveSupport::Concern |
| 36 | +
|
| 37 | + included do |
| 38 | + prepend_before_action do |controller| |
| 39 | + unless controller.send(:user_signed_in?) |
| 40 | + render plain: I18n.t("actions.login_before_access", |
| 41 | + scope: "decidim.core"), status: :unauthorized |
| 42 | + end |
| 43 | + end |
| 44 | + end |
| 45 | + end |
| 46 | +
|
| 47 | + Rails.application.config.to_prepare do |
| 48 | + Decidim::Api::ApplicationController.include(LimitApiAccess) |
| 49 | + end |
| 50 | + ``` |
| 51 | +
|
| 52 | + Please note that this would only disable public access to the API |
| 53 | + and all authenticated users would be still able to exploit the |
| 54 | + vulnerability. This may be sufficient for some installations, |
| 55 | + but not for all. |
| 56 | +
|
| 57 | + Another workaround is to limit the availability of the `/api` |
| 58 | + endpoint to only trusted ranges of IPs that need to access the |
| 59 | + API. The following Nginx configuration would help limiting the |
| 60 | + API access to only specific IPs: |
| 61 | +
|
| 62 | + ``` |
| 63 | + location /api { |
| 64 | + allow 192.168.1.100; |
| 65 | + allow 192.168.1.101; |
| 66 | + deny all; |
| 67 | + } |
| 68 | + ``` |
| 69 | +
|
| 70 | + The same configuration can be also used without the `allow` |
| 71 | + statements to disable all traffic to the the `/api` endpoint. |
| 72 | +
|
| 73 | + When considering a workaround and the seriousness of the vulnerability, |
| 74 | + please consider the nature of the platform. If the platform is primarily |
| 75 | + serving public data, this vulnerability is not serious by its nature. |
| 76 | + If the platform is protecting some resources, e.g. inside private |
| 77 | + participation spaces, the vulnerability may expose some data to |
| 78 | + the attacker that is not meant public. |
| 79 | +
|
| 80 | + If you have enabled the organization setting "Force users to |
| 81 | + authenticate before access organization", the scope of this |
| 82 | + vulnerability is limited to the users who are allowed to log in |
| 83 | + to the Decidim platform. This setting was introduced in version |
| 84 | + 0.19.0 and it was applied to the `/api` endpoint in version 0.22.0. |
| 85 | +cvss_v3: 7.5 |
| 86 | +unaffected_versions: |
| 87 | + - "< 0.0.1" |
| 88 | +patched_versions: |
| 89 | + - "~> 0.30.5" |
| 90 | + - ">= 0.31.1" |
| 91 | +related: |
| 92 | + url: |
| 93 | + - https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx |
| 94 | + - https://github.com/advisories/GHSA-ghmh-q25g-gxxx |
0 commit comments