Decidim Admin CVE-2026-45376
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Network-accessible admin-only endpoint (AV:N/PR:H); scope changes to other PostgreSQL tables via application role (S:C/C:H); low availability added for timing-based resource exhaustion noted in advisory (A:L).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.
Technical description
The vulnerable endpoint is exposed as GET /admin/organization/users in decidim-admin/config/routes.rb:
resource :organization, only: [:edit, :update], controller: "organization" do
member do
get :users
end
endThat route reaches Decidim::Admin::OrganizationController#users, which forwards the current organization's available users into search:
def users
search(current_organization.users.available)
endInside search, the attacker-controlled source is params[:term]:
if (term = params[:term].to_s).present?The query has two branches. In both branches, the WHERE predicates use bind parameters and are not the injection sink. The vulnerability is in the subsequent .order(Arel.sql(...)) calls, where the untrusted value is interpolated directly into SQL string literals.
Nickname branch:
nickname = term.delete("@")
relation.where("nickname LIKE ?", "#{nickname}%")
.order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("similarity(nickname, '#{nickname}') DESC")))Name/email branch:
relation.where("name ILIKE ?", "%#{term}%").or(
relation.where("email ILIKE ?", "%#{term}%")
)
.order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("GREATEST(similarity(name, '#{term}'), similarity(email, '#{term}')) DESC")))
.order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("(similarity(name, '#{term}') + similarity(email, '#{term}')) / 2 DESC")))This use of sanitize_sql_array does not make the code safe. The interpolation happens first, so Rails receives an already-built SQL string rather than a statement with bind placeholders. As a result, a quote in term can terminate the intended string literal and inject attacker-controlled SQL into the ORDER BY expression.
For example, a payload such as slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) -- produces a fragment equivalent to:
GREATEST(similarity(name, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --'), similarity(email, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --')) DESCThe injected subquery is therefore evaluated by PostgreSQL as SQL, not treated purely as data. Because the sink is in ORDER BY, the endpoint can still return a normal 200 OK response while exposing the issue through measurable timing differences.
Source-to-sink chain:
- Source:
params[:term] - Propagation:
term = params[:term].to_s - Sink:
.order(Arel.sql(... "#{term}" ...))and.order(Arel.sql(... "#{nickname}" ...)) - Effect: attacker-controlled SQL is executed inside the database sort expression
Reproduction steps:
- Authenticate as an organization admin.
- Ensure the search returns at least one row for the chosen payload. For a deterministic test, create a temporary
user whose name, email, or nickname matches the probe string.
- Send a control request to
GET /admin/organization/users?term=testwithAccept: application/jsonand record the response time. - Send a payload request such as
GET /admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20--withAccept: application/json. - Observe that the endpoint still responds successfully, but the response time increases by approximately the sleep
interval, demonstrating time-based SQL execution in the ORDER BY clause.
Impact
- Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
- An authenticated admin can inject arbitrary SQL expressions into the query's
ORDER BYclause and use timing differences as a blind SQL oracle. - The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
- The issue remains exploitable even without verbose database errors because time-based payloads such as
pg_sleepprovide a reliable blind side channel. - Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.
Patches
See https://github.com/decidim/decidim/pull/16668
Workarounds
Review your administrator accesses and not give access to untrustworthy users
Reference
OWASP SQL Injection
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
AnalysisAI
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the term query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as pg_sleep that return HTTP 200 while leaking data through measurable response-time deltas. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated session holding the organization administrator role in Decidim - anonymous users, regular participants, and space-level administrators cannot access `GET /admin/organization/users`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 6.8 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) accurately reflects the high privilege barrier: only organization administrators can reach the vulnerable endpoint, which sharply limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An organization administrator authenticates to a Decidim instance, then sends a crafted GET request to `/admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20--` with an `Accept: application/json` header. The server returns HTTP 200 after approximately 21 additional seconds compared to a baseline request, confirming that the `pg_sleep(21)` subquery was executed inside PostgreSQL's ORDER BY evaluation. … |
| Remediation | Upgrade the `decidim-admin` gem to the patched release for your branch: version 0.30.9 for 0.30.x deployments, 0.31.5 for 0.31.x deployments, or 0.32.0 for 0.32.x deployments. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jvqq-cvh4-xm37