Skip to content

Commit df906fb

Browse files
committed
GHSA/SYNC: 9 new decidim-related advisories
1 parent 5850322 commit df906fb

9 files changed

Lines changed: 441 additions & 0 deletions

File tree

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
---
2+
gem: decidim-admin
3+
cve: 2026-45376
4+
ghsa: jvqq-cvh4-xm37
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45376
6+
title: Decidim - Admin user search allows SQL injection through
7+
similarity-based sorting
8+
date: 2026-07-13
9+
description: |
10+
## Description
11+
12+
The admin organization user search uses the untrusted term value inside
13+
raw SQL ORDER BY expressions. Because the value is interpolated before
14+
Rails sanitization is applied, a crafted search string is executed by
15+
PostgreSQL as part of the sort expression.
16+
17+
## Impact
18+
19+
- Exploitation requires an authenticated admin session, which limits
20+
exposure but does not remove the underlying SQL injection risk.
21+
- An authenticated admin can inject arbitrary SQL expressions into
22+
the query's `ORDER BY` clause and use timing differences as a
23+
blind SQL oracle.
24+
- The injection happens inside a database expression, so the effect
25+
is not inherently limited to sorting the current organization user
26+
relation. Depending on the privileges of the application's
27+
PostgreSQL role, an attacker may be able to infer data from other
28+
tables readable by that role.
29+
- The issue remains exploitable even without verbose database errors
30+
because time-based payloads such as `pg_sleep` provide a reliable
31+
blind side channel.
32+
- Repeated long-running payloads can also be used to degrade availability
33+
by tying up database-backed requests.
34+
35+
## Credits
36+
37+
This issue was discovered in a security audit organized by the
38+
[Decidim Association](https://decidim.org) and made by
39+
[Radically Open Security](https://www.radicallyopensecurity.com/)
40+
against Decidim financed by [NGI](https://ngi.eu/).
41+
cvss_v3: 6.8
42+
patched_versions:
43+
- "~> 0.30.9"
44+
- "~> 0.31.5"
45+
- ">= 0.32.0"
46+
related:
47+
url:
48+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45376
49+
- https://rubygems.org/gems/decidim-admin/versions/0.32.0
50+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
51+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
52+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
53+
- https://github.com/decidim/decidim/pull/16668
54+
- https://advisories.gitlab.com/gem/decidim-admin/CVE-2026-45376
55+
- https://github.com/decidim/decidim/security/advisories/GHSA-jvqq-cvh4-xm37
56+
- https://github.com/advisories/GHSA-jvqq-cvh4-xm37
57+
notes: |
58+
- CVE is reserved, but not published.
59+
- cvss_v3 value came from GHSA.
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
gem: decidim-core
3+
cve: 2026-45377
4+
ghsa: 767h-63j4-5226
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45377
6+
title: Decidim - Private exports can be downloaded through reusable links
7+
date: 2026-07-13
8+
description: |
9+
## Description
10+
11+
The normal `download_your_data` flow requires the requester to be
12+
logged in as the export owner, but the resulting Active Storage blob
13+
redirect URL can be replayed without authentication by anyone who obtains it.
14+
15+
## Impact
16+
17+
Personal data exports can be retrieved through leakage channels such
18+
as browser history, logs, referrers, screenshots, copied links, support
19+
transcripts, intercepted email content, or other client-side disclosure
20+
of the GET URL.
21+
22+
## Credits
23+
24+
This issue was discovered in a security audit organized by the
25+
[Decidim Association](https://decidim.org) and made by
26+
[Radically Open Security](https://www.radicallyopensecurity.com/)
27+
against Decidim financed by [NGI](https://ngi.eu/).
28+
cvss_v3: 6.5
29+
patched_versions:
30+
- "~> 0.30.9"
31+
- "~> 0.31.5"
32+
- ">= 0.32.0"
33+
related:
34+
url:
35+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45377
36+
- https://rubygems.org/gems/decidim-core/versions/0.32.0
37+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
38+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
39+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
40+
- https://github.com/decidim/decidim/pull/16680
41+
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45377
42+
- https://github.com/decidim/decidim/security/advisories/GHSA-767h-63j4-5226
43+
- https://github.com/advisories/GHSA-767h-63j4-5226
44+
notes: |
45+
- CVE is reserved, but not published.
46+
- cvss_v3 value came from GHSA.
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
gem: decidim-core
3+
cve: 2026-45572
4+
ghsa: 533c-2vh9-4r86
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45572
6+
title: Decidim - HTML content blocks allow stored script execution'
7+
date: 2026-07-13
8+
description: |
9+
## Description
10+
11+
A privileged admin user who can edit an affected landing page can
12+
store arbitrary HTML/JavaScript in an `HTML block`, and the public
13+
page renders it with `html_safe` and no output escaping.
14+
15+
## Impact
16+
17+
- A user with landing-page editing rights for an affected scope can
18+
persist JavaScript that executes in visitor's browsers on that page.
19+
- Because exploitation already requires privileged administrative
20+
access, the practical risk is lower than a participant-controlled
21+
or unauthenticated stored XSS. It still creates a browser-execution
22+
primitive in a trusted admin-editable surface.
23+
24+
## Credits
25+
26+
This issue was discovered in a security audit organized by the
27+
[Decidim Association](https://decidim.org) and made by
28+
[Radically Open Security](https://www.radicallyopensecurity.com/)
29+
against Decidim financed by [NGI](https://ngi.eu/)."
30+
cvss_v3: 4.8
31+
patched_versions:
32+
- "~> 0.30.9"
33+
- "~> 0.31.5"
34+
- ">= 0.32.0"
35+
related:
36+
url:
37+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45572
38+
- https://rubygems.org/gems/decidim-core/versions/0.32.0
39+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
40+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
41+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
42+
- https://github.com/decidim/decidim/pull/16451
43+
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45572
44+
- https://github.com/decidim/decidim/security/advisories/GHSA-533c-2vh9-4r86
45+
- https://github.com/advisories/GHSA-533c-2vh9-4r86
46+
notes: |
47+
- CVE is reserved, but not published.
48+
- cvss_v3 value came from GHSA.
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
gem: decidim-core
3+
cve: 2026-45573
4+
ghsa: 2g9c-vf8h-prxx
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45573
6+
title: Decidim - Push subscriptions can be abused for server-side requests
7+
date: 2026-07-13
8+
description: |
9+
## Description
10+
11+
The push-subscription endpoint stores an attacker-controlled delivery
12+
URL, and the notification send path becomes an outbound-request sink when
13+
VAPID delivery is enabled. The practical result is an authenticated,
14+
stored, mostly blind SSRF primitive to arbitrary HTTPS endpoints
15+
reachable from the app server.
16+
17+
## Impact
18+
19+
- In a configured deployment, an authenticated user can register an
20+
attacker-controlled or otherwise unauthorized HTTPS URL.
21+
- The server then sends outbound `POST` requests there whenever a
22+
notification is pushed.
23+
- This is a stored, mostly blind SSRF primitive: useful for outbound
24+
interaction with attacker infrastructure and, where routable, internal
25+
HTTPS services.
26+
- Notification metadata is disclosed to the supplied endpoint through
27+
the encrypted web push request path.
28+
29+
## Credits
30+
31+
This issue was discovered in a security audit organized by the
32+
[Decidim Association](https://decidim.org) and made by
33+
[Radically Open Security](https://www.radicallyopensecurity.com/)
34+
against Decidim financed by [NGI](https://ngi.eu/).
35+
cvss_v3: 6.4
36+
patched_versions:
37+
- "~> 0.30.9"
38+
- "~> 0.31.5"
39+
- ">= 0.32.0"
40+
related:
41+
url:
42+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45573
43+
- https://rubygems.org/gems/decidim-core/versions/0.32.0
44+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
45+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
46+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
47+
- https://github.com/decidim/decidim/pull/16714
48+
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45573
49+
- https://github.com/decidim/decidim/security/advisories/GHSA-2g9c-vf8h-prxx
50+
- https://github.com/advisories/GHSA-2g9c-vf8h-prxx
51+
notes: |
52+
- CVE is reserved, but not published.
53+
- cvss_v3 value came from GHSA.
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
gem: decidim-demographics
3+
cve: 2026-45086
4+
ghsa: vq6j-hj8w-7v39
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45086
6+
title: Decidim - Forms admin question editor lacks authorization
7+
date: 2026-07-13
8+
description: |
9+
## Description
10+
11+
A participant can load the demographics questionnaire admin editor
12+
and make changes.
13+
14+
## Impact
15+
16+
- Low-privilege users can access questionnaire-admin interfaces.
17+
- They can read question-management surfaces that should remain
18+
limited to questionnaire managers.
19+
20+
## Credits
21+
22+
This issue was discovered in a security audit organized by the
23+
[Decidim Association](https://decidim.org) and made by
24+
[Radically Open Security](https://www.radicallyopensecurity.com/)
25+
against Decidim financed by [NGI](https://ngi.eu/).
26+
cvss_v3: 5.4
27+
unaffected_versions:
28+
- "< 0.31.0"
29+
patched_versions:
30+
- "~> 0.31.5"
31+
- ">= 0.32.0"
32+
related:
33+
url:
34+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45086
35+
- https://rubygems.org/gems/decidim-core/versions/0.32.0
36+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
37+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
38+
- https://github.com/decidim/decidim/pull/16665
39+
- https://advisories.gitlab.com/gem/decidim-demographics/CVE-2026-45086
40+
- https://github.com/decidim/decidim/security/advisories/GHSA-vq6j-hj8w-7v39
41+
- https://github.com/advisories/GHSA-vq6j-hj8w-7v39
42+
notes: |
43+
- CVE is reserved, but not published.
44+
- cvss_v3 value came from GHSA.
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
gem: decidim-verifications
3+
cve: 2026-45330
4+
ghsa: 86fh-w43w-338c
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45330
6+
title: Decidim - Verification admins can access supplied IDs from
7+
other organizations
8+
date: 2026-07-13
9+
description: |
10+
## Description
11+
12+
The verification admin mutation flow allows accessing, verifying,
13+
and rejecting participants records from another tenant.
14+
15+
## Impact
16+
17+
A tenant admin can access, reject or approve another tenant's
18+
`id_documents` requests.
19+
20+
## Credits
21+
22+
This issue was discovered in a security audit organized by the
23+
[Decidim Association](https://decidim.org) and made by
24+
[Radically Open Security](https://www.radicallyopensecurity.com/)
25+
against Decidim financed by [NGI](https://ngi.eu/)."
26+
cvss_v3: 4.9
27+
patched_versions:
28+
- "~> 0.30.9"
29+
- "~> 0.31.5"
30+
- ">= 0.32.0"
31+
related:
32+
url:
33+
- https://rubygems.org/gems/decidim-verifications/versions/0.32.0
34+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
35+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
36+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
37+
- https://github.com/decidim/decidim/pull/16666
38+
- https://advisories.gitlab.com/gem/decidim-verifications/CVE-2026-45330
39+
- https://github.com/decidim/decidim/security/advisories/GHSA-86fh-w43w-338c
40+
- https://github.com/advisories/GHSA-86fh-w43w-338c
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
---
2+
gem: decidim-verifications
3+
cve: 2026-45378
4+
ghsa: 3mvf-82qp-8qh5
5+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45378
6+
title: Decidim - Verification documents can be downloaded through reusable links
7+
date: 2026-07-13
8+
description: |
9+
## Description
10+
11+
Scanned identity-document images provided by participants and shown
12+
in the verification admin workflow are exposed through signed
13+
`/rails/active_storage/disk/` URLs that can be fetched without any
14+
authenticated session.
15+
16+
Anyone who obtains one of those URLs can retrieve the document until
17+
the signature expires.
18+
19+
## Impact
20+
21+
- This only applies to Organizations using the \"Identity documents\"
22+
verification
23+
- Any party that obtains one of these URLs can download the underlying
24+
scanned identity document for the lifetime of the signed link without needing to
25+
authenticate as the reviewing admin.
26+
- In the reproduced case, that replay window was about seven days,
27+
which is long enough for routine leakage channels such as copied links,
28+
screenshots, logs, browser history, and support workflows to become
29+
realistic exfiltration paths.
30+
- This raises the risk of leakage through browser history, screenshots,
31+
copy-paste, support tickets, logs, analytics tooling, malicious
32+
browser extensions, or any other channel that captures full URLs.
33+
- Because the affected files are identity-verification documents, the
34+
exposed data can include highly sensitive personal information.
35+
36+
## Credits
37+
38+
This issue was discovered in a security audit organized by the
39+
[Decidim Association](https://decidim.org) and made by
40+
[Radically Open Security](https://www.radicallyopensecurity.com/)
41+
against Decidim financed by [NGI](https://ngi.eu/).
42+
cvss_v3: 7.5
43+
patched_versions:
44+
- "~> 0.30.9"
45+
- "~> 0.31.5"
46+
- ">= 0.32.0"
47+
related:
48+
url:
49+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45378
50+
- https://rubygems.org/gems/decidim-core/versions/0.32.0
51+
- https://github.com/decidim/decidim/releases/tag/v0.32.0
52+
- https://github.com/decidim/decidim/releases/tag/v0.31.5
53+
- https://github.com/decidim/decidim/releases/tag/v0.30.9
54+
- https://github.com/decidim/decidim/pull/16680
55+
- https://advisories.gitlab.com/gem/decidim-verifications/CVE-2026-45378
56+
- https://github.com/decidim/decidim/security/advisories/GHSA-3mvf-82qp-8qh5
57+
- https://github.com/advisories/GHSA-3mvf-82qp-8qh5
58+
notes: |
59+
- CVE is reserved, but not published.
60+
- cvss_v3 value came from GHSA.

0 commit comments

Comments
 (0)