THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-r3v7-5x4c-c69q (high) — Decidim: JWT-backed authentication can be replayed across organizations

[GHSA] GHSA-r3v7-5x4c-c69q (high) — Decidim: JWT-backed authentication can be replayed across organizations

highgithub_advisoriesPublished 2026-07-13

GHSA-r3v7-5x4c-c69q Severity: high CVE: CVE-2026-45414

Decidim: JWT-backed authentication can be replayed across organizations

## Description

A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL `participantDetails` field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-r3v7-5x4c-c69q