THREAT OPS › Threat News › [GHSA] GHSA-r3v7-5x4c-c69q (high) — Decidim: JWT-backed authentication can be replayed across organizations
[GHSA] GHSA-r3v7-5x4c-c69q (high) — Decidim: JWT-backed authentication can be replayed across organizations
GHSA-r3v7-5x4c-c69q Severity: high CVE: CVE-2026-45414
Decidim: JWT-backed authentication can be replayed across organizations
## Description
A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on
MITRE ATT&CK techniques
- CredentialsT1589.001
Indicators of compromise
- CVE-2026-45414cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-r3v7-5x4c-c69q