decidim-verifications CVE-2026-45330
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
PR:H required as attacker must be an authenticated platform admin; I:L added over vendor score because cross-tenant approve/reject modifies victim authorization state.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Description
The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.
Technical description
The verification admin controllers loads pending_authorization_id with a raw Authorization.find(...) and then authorizes the record without checking whether it belongs to current_organization.
Reproduction steps:
- An org2 participant uploads their ID:
<img width="2184" height="1288" alt="decidim-verification-01" src="https://github.com/user-attachments/assets/c6713454-c787-4795-b852-3c2c672358d6" />
- An admin from another organisation, in this case org1, is able to open the ID from org2 by opening request 35, e.g
http://localhost:3001/admin/id_documents/pending_authorizations/35/confirmations/new
<img width="1539" height="1037" alt="decidim-verification-02" src="https://github.com/user-attachments/assets/6ed646de-a501-4964-8467-013ada55ce2d" />
- The admin then approves this request by looking up the ID in the picture (not shown in this image, but a real ID would expose this)
<img width="1542" height="652" alt="decidim-verification-03" src="https://github.com/user-attachments/assets/c7ee5bea-3fa2-43d9-8330-8d834f34a9af" />
- Now the request has been approved, which can be seen from the org2 participant authorizations page:
<img width="2279" height="720" alt="decidim-verification-04" src="https://github.com/user-attachments/assets/55ee1bab-d396-4e0f-803f-21dc31a2c125" />
Impact
A tenant admin can access, reject or approve another tenant's id_documents requests.
Patches
See https://github.com/decidim/decidim/pull/16666
Workarounds
Disable the "Identity documents" verification
Reference
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
AnalysisAI
Cross-tenant IDOR in Decidim's verification admin flow exposes government-issued identity documents belonging to participants of one organization to administrators of a different tenant on the same instance. An authenticated admin of any tenant can enumerate sequential pending_authorization_id integers in the admin URL to view, approve, or reject ID document and postal-letter verification requests that belong to entirely separate organizations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an active admin-level account on any tenant within the same Decidim multi-tenant instance (PR:H - unauthenticated external attackers cannot exploit this). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) accurately captures the network-accessible, low-complexity nature of the attack but underscores the significant PR:H gate - only authenticated platform admins can exploit this. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An admin authenticated to Tenant A opens the Decidim admin panel and manually crafts or iterates URLs of the form `/admin/id_documents/pending_authorizations/{id}/confirmations/new`, incrementing the integer ID to enumerate records outside their tenant. When a matching record from Tenant B is found, the admin is presented with the uploaded government-issued identity document image - exposing the participant's name, date of birth, and document number - and can approve or reject the request, manipulating Tenant B's verification state without authorization. … |
| Remediation | Upgrade decidim-verifications to a patched release: version 0.30.9 for deployments on the 0.30.x line, 0.31.5 for the 0.31.x line, or 0.32.0 for the 0.32.x line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-86fh-w43w-338c