Skip to main content

decidim-verifications CVE-2026-45330

MEDIUM
Information Exposure (CWE-200)
2026-07-13 https://github.com/decidim/decidim GHSA-86fh-w43w-338c
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

PR:H required as attacker must be an authenticated platform admin; I:L added over vendor score because cross-tenant approve/reject modifies victim authorization state.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:39 vuln.today
Analysis Generated
Jul 13, 2026 - 19:39 vuln.today

DescriptionGitHub Advisory

Description

The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.

Technical description

The verification admin controllers loads pending_authorization_id with a raw Authorization.find(...) and then authorizes the record without checking whether it belongs to current_organization.

Reproduction steps:

  1. An org2 participant uploads their ID:

<img width="2184" height="1288" alt="decidim-verification-01" src="https://github.com/user-attachments/assets/c6713454-c787-4795-b852-3c2c672358d6" />

  1. An admin from another organisation, in this case org1, is able to open the ID from org2 by opening request 35, e.g http://localhost:3001/admin/id_documents/pending_authorizations/35/confirmations/new

<img width="1539" height="1037" alt="decidim-verification-02" src="https://github.com/user-attachments/assets/6ed646de-a501-4964-8467-013ada55ce2d" />

  1. The admin then approves this request by looking up the ID in the picture (not shown in this image, but a real ID would expose this)

<img width="1542" height="652" alt="decidim-verification-03" src="https://github.com/user-attachments/assets/c7ee5bea-3fa2-43d9-8330-8d834f34a9af" />

  1. Now the request has been approved, which can be seen from the org2 participant authorizations page:

<img width="2279" height="720" alt="decidim-verification-04" src="https://github.com/user-attachments/assets/55ee1bab-d396-4e0f-803f-21dc31a2c125" />

Impact

A tenant admin can access, reject or approve another tenant's id_documents requests.

Patches

See https://github.com/decidim/decidim/pull/16666

Workarounds

Disable the "Identity documents" verification

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Cross-tenant IDOR in Decidim's verification admin flow exposes government-issued identity documents belonging to participants of one organization to administrators of a different tenant on the same instance. An authenticated admin of any tenant can enumerate sequential pending_authorization_id integers in the admin URL to view, approve, or reject ID document and postal-letter verification requests that belong to entirely separate organizations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as admin on any co-hosted Decidim tenant
Delivery
Enumerate sequential pending_authorization_id integers via admin URL
Exploit
Load cross-tenant ID document image in browser
Execution
Exfiltrate PII from government-issued ID
Impact
Optionally approve or reject victim tenant's authorization request

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active admin-level account on any tenant within the same Decidim multi-tenant instance (PR:H - unauthenticated external attackers cannot exploit this). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) accurately captures the network-accessible, low-complexity nature of the attack but underscores the significant PR:H gate - only authenticated platform admins can exploit this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An admin authenticated to Tenant A opens the Decidim admin panel and manually crafts or iterates URLs of the form `/admin/id_documents/pending_authorizations/{id}/confirmations/new`, incrementing the integer ID to enumerate records outside their tenant. When a matching record from Tenant B is found, the admin is presented with the uploaded government-issued identity document image - exposing the participant's name, date of birth, and document number - and can approve or reject the request, manipulating Tenant B's verification state without authorization. …
Remediation Upgrade decidim-verifications to a patched release: version 0.30.9 for deployments on the 0.30.x line, 0.31.5 for the 0.31.x line, or 0.32.0 for the 0.32.x line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy