GHSA/SYNC: 4 brand new advisories

gems/decidim-api/GHSA-ghmh-q25g-gxxx.yml

@@ -0,0 +1,94 @@
+---
+gem: decidim-api
+ghsa: ghmh-q25g-gxxx
+url: https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+title: Decidim's comments API allows access to all commentable resources
+date: 2026-04-14
+description: |
+  ### Impact
+
+  The root level `commentable` field in the API allows access to all
+  commentable resources within the platform, without any permission
+  checks. All Decidim instances are impacted that have not secured
+  the `/api` endpoint. The `/api` endpoint is publicly available
+  with the default configuration.
+
+  ### Patches
+
+  Not available
+
+  ### Workarounds
+
+  To mitigate the issue, you can limit the scope to only authenticated
+  users by limiting access to the `/api` endpoint. This would require
+  custom code or installing the 3rd party module `Decidim::Apiauth`.
+
+  With custom code, the `/api` endpoint can be limited to only
+  authenticated users with the following code (needs to run during
+  application initialization):
+
+  ```ruby
+  # Within your application
+  # config/initializers/limit_api_access.rb
+
+  module LimitApiAccess
+    extend ActiveSupport::Concern
+
+    included do
+      prepend_before_action do |controller|
+        unless controller.send(:user_signed_in?)
+          render plain: I18n.t("actions.login_before_access",
+            scope: "decidim.core"), status: :unauthorized
+        end
+      end
+    end
+  end
+
+  Rails.application.config.to_prepare do
+    Decidim::Api::ApplicationController.include(LimitApiAccess)
+  end
+  ```
+
+  Please note that this would only disable public access to the API
+  and all authenticated users would be still able to exploit the
+  vulnerability. This may be sufficient for some installations,
+  but not for all.
+
+  Another workaround is to limit the availability of the `/api` endpoint
+  to only trusted ranges of IPs that need to access the API. The
+  following Nginx configuration would help limiting the API access
+  to only specific IPs:
+
+  ```
+  location /api {
+    allow 192.168.1.100;
+    allow 192.168.1.101;
+    deny all;
+  }
+  ```
+
+  The same configuration can be also used without the `allow`
+  statements to disable all traffic to the the `/api` endpoint.
+
+  When considering a workaround and the seriousness of the vulnerability,
+  please consider the nature of the platform. If the platform is primarily
+  serving public data, this vulnerability is not serious by its nature.
+  If the platform is protecting some resources, e.g. inside private
+  participation spaces, the vulnerability may expose some data to
+  the attacker that is not meant public.
+
+  If you have enabled the organization setting "Force users to
+  authenticate before access organization", the scope of this
+  vulnerability is limited to the users who are allowed to log in
+  to the Decidim platform. This setting was introduced in version
+  0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 0.0.1"
+patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+related:
+  url:
+    - https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+    - https://github.com/advisories/GHSA-ghmh-q25g-gxxx

gems/decidim-comments/GHSA-ghmh-q25g-gxxx.yml

@@ -0,0 +1,94 @@
+---
+gem: decidim-comments
+ghsa: ghmh-q25g-gxxx
+url: https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+title: Decidim's comments API allows access to all commentable resources
+date: 2026-04-14
+description: |
+  ### Impact
+
+  The root level `commentable` field in the API allows access to all
+  commentable resources within the platform, without any permission
+  checks. All Decidim instances are impacted that have not secured
+  the `/api` endpoint. The `/api` endpoint is publicly available
+  with the default configuration.
+
+  ### Patches
+
+  Not available
+
+  ### Workarounds
+
+  To mitigate the issue, you can limit the scope to only authenticated
+  users by limiting access to the `/api` endpoint. This would require
+  custom code or installing the 3rd party module `Decidim::Apiauth`.
+
+  With custom code, the `/api` endpoint can be limited to only
+  authenticated users with the following code (needs to run during
+  application initialization):
+
+  ```ruby
+  # Within your application
+  # config/initializers/limit_api_access.rb
+
+  module LimitApiAccess
+    extend ActiveSupport::Concern
+
+    included do
+      prepend_before_action do |controller|
+        unless controller.send(:user_signed_in?)
+          render plain: I18n.t("actions.login_before_access",
+            scope: "decidim.core"), status: :unauthorized
+        end
+      end
+    end
+  end
+
+  Rails.application.config.to_prepare do
+    Decidim::Api::ApplicationController.include(LimitApiAccess)
+  end
+  ```
+
+  Please note that this would only disable public access to the API
+  and all authenticated users would be still able to exploit the
+  vulnerability. This may be sufficient for some installations,
+  but not for all.
+
+  Another workaround is to limit the availability of the `/api`
+  endpoint to only trusted ranges of IPs that need to access the
+  API. The following Nginx configuration would help limiting the
+  API access to only specific IPs:
+
+  ```
+  location /api {
+    allow 192.168.1.100;
+    allow 192.168.1.101;
+    deny all;
+  }
+  ```
+
+  The same configuration can be also used without the `allow`
+  statements to disable all traffic to the the `/api` endpoint.
+
+  When considering a workaround and the seriousness of the vulnerability,
+  please consider the nature of the platform. If the platform is primarily
+  serving public data, this vulnerability is not serious by its nature.
+  If the platform is protecting some resources, e.g. inside private
+  participation spaces, the vulnerability may expose some data to
+  the attacker that is not meant public.
+
+  If you have enabled the organization setting "Force users to
+  authenticate before access organization", the scope of this
+  vulnerability is limited to the users who are allowed to log in
+  to the Decidim platform. This setting was introduced in version
+  0.19.0 and it was applied to the `/api` endpoint in version 0.22.0.
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 0.0.1"
+patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+related:
+  url:
+    - https://github.com/decidim/decidim/security/advisories/GHSA-ghmh-q25g-gxxx
+    - https://github.com/advisories/GHSA-ghmh-q25g-gxxx

gems/decidim-core/GHSA-w5xj-99cg-rccm.yml

@@ -0,0 +1,42 @@
+---
+gem: decidim-core
+ghsa: w5xj-99cg-rccm
+url: https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
+title: Decidim amendments can be accepted or rejected by anyone
+date: 2026-04-14
+description: |
+  ### Impact
+
+  The vulnerability allows any registered and authenticated user to
+  accept or reject any amendments. The impact is on any users who
+  have created proposals where the amendments feature is enabled.
+  This also elevates the user accepting the amendment as the author
+  of the original proposal as people amending proposals are provided
+  coauthorship on the coauthorable resources.
+
+  The only check done when accepting or rejecting amendments is whether
+  the amendment reactions are enabled for the component:
+  -  https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107
+
+  The permission checks have been changed at 1b99136 which was
+  introduced in released version 0.19.0. I have not investigated
+  whether prior versions are also affected.
+
+  ### Patches
+
+  Not available
+
+  ### Workarounds
+
+  Disable amendment reactions for the amendable component (e.g. proposals).
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 0.19.0"
+patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+related:
+  url:
+    - https://github.com/decidim/decidim/security/advisories/GHSA-w5xj-99cg-rccm
+    - https://github.com/decidim/decidim/commit/1b99136a1c7aa02616a0b54a6ab88d12907a57a9
+    - https://github.com/advisories/GHSA-w5xj-99cg-rccm