GHSA-r3v7-5x4c-c69q
Decidim: JWT-backed authentication can be replayed across organizations
상세
## Description
A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that JWT to the Org 2 API to read Org 2 participant personal data and reach Org 2's `proposal.answer` mutation path.
## Technical description
The current host selects the Decidim organization context, but JWT-backed API authentication is not sufficiently bound to that host organization. As a result, the API can process a request in Org 2's context while still trusting an authenticated principal from Org 1.
Reproduction steps:
1. Use an API key provided by the system administrator that is assigned to organization 1 to create the JWT token or get the JWT token shown in the response when logged in as the organization admin.
<img width="1080" height="1119" alt="decidim-jwt-01" src="https://github.com/user-attachments/assets/6195a250-faef-41d5-8f64-4d77d4077e96" />
2. When using this JWT token it is possible to retrieve details from other organisations. Notice the change of the host header in the request below to that of another tenant `org2.localhost:3001` <img width="1085" height="1047" alt="decidim-jwt-02" src="https://github.com/user-attachments/assets/d40825e3-0d36-44f3-bede-86d247bbe6d0" />
Note that using a participant-generated JWT did not allow showing these results.
### Impact
A JWT issued for one organization can be replayed successfully against another organization's API and used to retrieve sensitive details from that organization.
### Patches
See https://github.com/decidim/decidim/pull/16673 and https://github.com/decidim/decidim/pull/16756
### Workarounds
Disable JWT credentials on system panel (`/system`)
### References
OWASP A01:2021 Broken Access Control
### Credits
This issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.