Decidim’s root level commentable field in the API does not perform any permission checks, which allows an attacker to retrieve all commentable resources from the platform. The missing authorization logic means that anyone who can reach the /api endpoint can see content that may be intended for private or restricted audiences. Because the flaw is purely an authorization failure (CWE‑862), it results in information disclosure but does not permit code execution or privilege escalation directly.

All deployments of Decidim using version 0.0.1 up through 0.30.4 and 0.31.0 that have the default, publicly accessible /api endpoint are affected. The issue was fixed in Decidim releases 0.30.5 and 0.31.1; earlier versions without the fix remain vulnerable. Any instance that has not applied limiting access to the /api endpoint or does not enforce authentication for API requests is impacted.

The CVSS base score of 7.5 indicates a medium‑to‑high severity vulnerability. No EPSS score is available, but the exposure of potentially sensitive community or organizational data makes the risk significant for platforms that host private participation spaces. The flaw can be exploited remotely by making HTTP requests to the public /api endpoint, and the attacker does not require any prior authentication unless the platform has enabled the “Force users to authenticate before access organization” setting. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote API exploitation through public network access, and the impact is information disclosure of commentable resources that are otherwise restricted.