|
| 1 | +--- |
| 2 | +gem: decidim-verifications |
| 3 | +cve: 2026-45378 |
| 4 | +ghsa: 3mvf-82qp-8qh5 |
| 5 | +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45378 |
| 6 | +title: Decidim - Verification documents can be downloaded through reusable links |
| 7 | +date: 2026-07-13 |
| 8 | +description: | |
| 9 | + ## Description |
| 10 | +
|
| 11 | + Scanned identity-document images provided by participants and shown |
| 12 | + in the verification admin workflow are exposed through signed |
| 13 | + `/rails/active_storage/disk/` URLs that can be fetched without any |
| 14 | + authenticated session. |
| 15 | +
|
| 16 | + Anyone who obtains one of those URLs can retrieve the document until |
| 17 | + the signature expires. |
| 18 | +
|
| 19 | + ## Impact |
| 20 | +
|
| 21 | + - This only applies to Organizations using the \"Identity documents\" |
| 22 | + verification |
| 23 | + - Any party that obtains one of these URLs can download the underlying |
| 24 | + scanned identity document for the lifetime of the signed link without needing to |
| 25 | + authenticate as the reviewing admin. |
| 26 | + - In the reproduced case, that replay window was about seven days, |
| 27 | + which is long enough for routine leakage channels such as copied links, |
| 28 | + screenshots, logs, browser history, and support workflows to become |
| 29 | + realistic exfiltration paths. |
| 30 | + - This raises the risk of leakage through browser history, screenshots, |
| 31 | + copy-paste, support tickets, logs, analytics tooling, malicious |
| 32 | + browser extensions, or any other channel that captures full URLs. |
| 33 | + - Because the affected files are identity-verification documents, the |
| 34 | + exposed data can include highly sensitive personal information. |
| 35 | +
|
| 36 | + ## Credits |
| 37 | +
|
| 38 | + This issue was discovered in a security audit organized by the |
| 39 | + [Decidim Association](https://decidim.org) and made by |
| 40 | + [Radically Open Security](https://www.radicallyopensecurity.com/) |
| 41 | + against Decidim financed by [NGI](https://ngi.eu/). |
| 42 | +cvss_v3: 7.5 |
| 43 | +patched_versions: |
| 44 | + - "~> 0.30.9" |
| 45 | + - "~> 0.31.5" |
| 46 | + - ">= 0.32.0" |
| 47 | +related: |
| 48 | + url: |
| 49 | + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45378 |
| 50 | + - https://rubygems.org/gems/decidim-core/versions/0.32.0 |
| 51 | + - https://github.com/decidim/decidim/releases/tag/v0.32.0 |
| 52 | + - https://github.com/decidim/decidim/releases/tag/v0.31.5 |
| 53 | + - https://github.com/decidim/decidim/releases/tag/v0.30.9 |
| 54 | + - https://github.com/decidim/decidim/pull/16680 |
| 55 | + - https://advisories.gitlab.com/gem/decidim-verifications/CVE-2026-45378 |
| 56 | + - https://github.com/decidim/decidim/security/advisories/GHSA-3mvf-82qp-8qh5 |
| 57 | + - https://github.com/advisories/GHSA-3mvf-82qp-8qh5 |
| 58 | +notes: | |
| 59 | + - CVE is reserved, but not published. |
| 60 | + - cvss_v3 value came from GHSA. |
0 commit comments