Skip to content

Decidim: Admin user search allows SQL injection through similarity-based sorting

Moderate severity GitHub Reviewed Published Jul 13, 2026 in decidim/decidim

Package

bundler decidim-admin (RubyGems)

Affected versions

< 0.30.9
>= 0.31.0.rc1, < 0.31.5
>= 0.32.0.rc1, < 0.32.0

Patched versions

0.30.9
0.31.5
0.32.0

Description

The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.

Technical description

The vulnerable endpoint is exposed as GET /admin/organization/users in decidim-admin/config/routes.rb:

resource :organization, only: [:edit, :update], controller: "organization" do
  member do
    get :users
  end
end

That route reaches Decidim::Admin::OrganizationController#users, which forwards the current organization's available users into search:

def users
  search(current_organization.users.available)
end

Inside search, the attacker-controlled source is params[:term]:

if (term = params[:term].to_s).present?

The query has two branches. In both branches, the WHERE predicates use bind parameters and are not the injection sink. The vulnerability is in the subsequent .order(Arel.sql(...)) calls, where the untrusted value is interpolated directly into SQL string literals.

Nickname branch:

nickname = term.delete("@")
relation.where("nickname LIKE ?", "#{nickname}%")
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("similarity(nickname, '#{nickname}') DESC")))

Name/email branch:

relation.where("name ILIKE ?", "%#{term}%").or(
  relation.where("email ILIKE ?", "%#{term}%")
)
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("GREATEST(similarity(name, '#{term}'), similarity(email, '#{term}')) DESC")))
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("(similarity(name, '#{term}') + similarity(email, '#{term}')) / 2 DESC")))

This use of sanitize_sql_array does not make the code safe. The interpolation happens first, so Rails receives an already-built SQL string rather than a statement with bind placeholders. As a result, a quote in term can terminate the intended string literal and inject attacker-controlled SQL into the ORDER BY expression.

For example, a payload such as slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) -- produces a fragment equivalent to:

GREATEST(similarity(name, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --'), similarity(email, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --')) DESC

The injected subquery is therefore evaluated by PostgreSQL as SQL, not treated purely as data. Because the sink is in ORDER BY, the endpoint can still return a normal 200 OK response while exposing the issue through measurable timing differences.

Source-to-sink chain:

  • Source: params[:term]
  • Propagation: term = params[:term].to_s
  • Sink: .order(Arel.sql(... "#{term}" ...)) and .order(Arel.sql(... "#{nickname}" ...))
  • Effect: attacker-controlled SQL is executed inside the database sort expression

Reproduction steps:

  1. Authenticate as an organization admin.
  2. Ensure the search returns at least one row for the chosen payload. For a deterministic test, create a temporary
    user whose name, email, or nickname matches the probe string.
  3. Send a control request to GET /admin/organization/users?term=test with Accept: application/json and record the response time.
  4. Send a payload request such as GET /admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20-- with Accept: application/json.
  5. Observe that the endpoint still responds successfully, but the response time increases by approximately the sleep
    interval, demonstrating time-based SQL execution in the ORDER BY clause.

Impact

  • Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
  • An authenticated admin can inject arbitrary SQL expressions into the query's ORDER BY clause and use timing differences as a blind SQL oracle.
  • The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
  • The issue remains exploitable even without verbose database errors because time-based payloads such as pg_sleep provide a reliable blind side channel.
  • Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.

Patches

See decidim/decidim#16668

Workarounds

Review your administrator accesses and not give access to untrustworthy users

Reference

OWASP SQL Injection

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

References

@andreslucena andreslucena published to decidim/decidim Jul 13, 2026
Published to the GitHub Advisory Database Jul 13, 2026
Reviewed Jul 13, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. Learn more on MITRE.

CVE ID

CVE-2026-45376

GHSA ID

GHSA-jvqq-cvh4-xm37

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.