VDB
EN
HIGH 8.5

GHSA-r3v7-5x4c-c69q

Decidim: JWT-backed authentication can be replayed across organizations

상세

## Description

A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's `proposal.answer` mutation path.

## Technical description

The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1.

Reproduction steps:

1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin.

<img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" />

2. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant `org2.localhost:3001` <img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" />

Note that using a participant-generated JWT did not allow showing these results.

### Impact

A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.

### Patches

See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756

### Workarounds

Disable JWT credentials on system panel (`/system`)

### References

OWASP A01:2021 Broken Access Control

### Credits

This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / decidim
최초 영향 버전: 0 수정 버전: 0.31.5
수정 bundle update decidim
RubyGems / decidim
최초 영향 버전: 0.32.0.rc1 수정 버전: 0.32.0
수정 bundle update decidim

참고