Skip to main content

decidim-demographics CVE-2026-45086

MEDIUM
Improper Access Control (CWE-284)
2026-07-13 https://github.com/decidim/decidim GHSA-vq6j-hj8w-7v39
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible missing authorization requires only a low-privilege authenticated session; confidentiality and integrity impacts are both low as only the question editor surface is exposed, with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:39 vuln.today
Analysis Generated
Jul 13, 2026 - 19:39 vuln.today

DescriptionGitHub Advisory

Description

A participant can load the demographics questionnaire admin editor and make changes.

Technical description

The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.

Reproduction steps:

Step 1. Sign in as a normal participant: Open http://localhost:3000/users/sign_in. Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit_questions in the same browser. Step 3. Add another question:

<img width="1522" height="1174" alt="decidim-questions-01" src="https://github.com/user-attachments/assets/923f85d4-0e2f-4511-a9f3-a92f74dbf1d8" />

Note that access was denied when attempting to see question responses or settings.

Impact

  • Low-privilege users can access questionnaire-admin interfaces.
  • They can read question-management surfaces that should remain limited to questionnaire managers.

Patches

See https://github.com/decidim/decidim/pull/16665

Workarounds

Disable the "decidim-demographics" module

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Unauthorized access to the demographics questionnaire admin editor in Decidim's decidim-demographics module allows any authenticated participant to reach and interact with the /admin/demographics/questions/edit_questions route without admin privileges. Affected versions span 0.31.0-0.31.4 and 0.32.0.rc1, with fixes released in 0.31.5 and 0.32.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as registered participant
Delivery
Navigate directly to /admin/demographics/questions/edit_questions
Exploit
Admin editor renders without authorization check
Execution
Modify or add demographic survey questions
Impact
Altered questionnaire affects all future participant submissions

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated session as any registered participant (no admin role needed) on a Decidim instance running `decidim-demographics` >= 0.31.0 and < 0.31.5, or >= 0.32.0.rc1 and < 0.32.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) is an accurate reflection of actual risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A registered participant on a Decidim civic platform authenticates with their normal account credentials and navigates directly to `/admin/demographics/questions/edit_questions`. Because the route renders without invoking the admin permission check, the question editor interface is presented in full. …
Remediation Upgrade `decidim-demographics` to version 0.31.5 if running the 0.31.x series, or to 0.32.0 if running the 0.32.x series. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy