Skip to main content

Decidim Admin CVE-2026-45376

MEDIUM
SQL Injection (CWE-89)
2026-07-13 https://github.com/decidim/decidim GHSA-jvqq-cvh4-xm37
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.6 HIGH

Network-accessible admin-only endpoint (AV:N/PR:H); scope changes to other PostgreSQL tables via application role (S:C/C:H); low availability added for timing-based resource exhaustion noted in advisory (A:L).

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:40 vuln.today
Analysis Generated
Jul 13, 2026 - 19:40 vuln.today

DescriptionGitHub Advisory

The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.

Technical description

The vulnerable endpoint is exposed as GET /admin/organization/users in decidim-admin/config/routes.rb:

ruby
resource :organization, only: [:edit, :update], controller: "organization" do
  member do
    get :users
  end
end

That route reaches Decidim::Admin::OrganizationController#users, which forwards the current organization's available users into search:

ruby
def users
  search(current_organization.users.available)
end

Inside search, the attacker-controlled source is params[:term]:

ruby
if (term = params[:term].to_s).present?

The query has two branches. In both branches, the WHERE predicates use bind parameters and are not the injection sink. The vulnerability is in the subsequent .order(Arel.sql(...)) calls, where the untrusted value is interpolated directly into SQL string literals.

Nickname branch:

ruby
nickname = term.delete("@")
relation.where("nickname LIKE ?", "#{nickname}%")
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("similarity(nickname, '#{nickname}') DESC")))

Name/email branch:

ruby
relation.where("name ILIKE ?", "%#{term}%").or(
  relation.where("email ILIKE ?", "%#{term}%")
)
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("GREATEST(similarity(name, '#{term}'), similarity(email, '#{term}')) DESC")))
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("(similarity(name, '#{term}') + similarity(email, '#{term}')) / 2 DESC")))

This use of sanitize_sql_array does not make the code safe. The interpolation happens first, so Rails receives an already-built SQL string rather than a statement with bind placeholders. As a result, a quote in term can terminate the intended string literal and inject attacker-controlled SQL into the ORDER BY expression.

For example, a payload such as slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) -- produces a fragment equivalent to:

sql
GREATEST(similarity(name, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --'), similarity(email, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --')) DESC

The injected subquery is therefore evaluated by PostgreSQL as SQL, not treated purely as data. Because the sink is in ORDER BY, the endpoint can still return a normal 200 OK response while exposing the issue through measurable timing differences.

Source-to-sink chain:

  • Source: params[:term]
  • Propagation: term = params[:term].to_s
  • Sink: .order(Arel.sql(... "#{term}" ...)) and .order(Arel.sql(... "#{nickname}" ...))
  • Effect: attacker-controlled SQL is executed inside the database sort expression

Reproduction steps:

  1. Authenticate as an organization admin.
  2. Ensure the search returns at least one row for the chosen payload. For a deterministic test, create a temporary

user whose name, email, or nickname matches the probe string.

  1. Send a control request to GET /admin/organization/users?term=test with Accept: application/json and record the response time.
  2. Send a payload request such as GET /admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20-- with Accept: application/json.
  3. Observe that the endpoint still responds successfully, but the response time increases by approximately the sleep

interval, demonstrating time-based SQL execution in the ORDER BY clause.

Impact

  • Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
  • An authenticated admin can inject arbitrary SQL expressions into the query's ORDER BY clause and use timing differences as a blind SQL oracle.
  • The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
  • The issue remains exploitable even without verbose database errors because time-based payloads such as pg_sleep provide a reliable blind side channel.
  • Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.

Patches

See https://github.com/decidim/decidim/pull/16668

Workarounds

Review your administrator accesses and not give access to untrustworthy users

Reference

OWASP SQL Injection

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the term query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as pg_sleep that return HTTP 200 while leaking data through measurable response-time deltas. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise organization admin credentials
Delivery
Authenticate to Decidim admin panel
Exploit
Craft time-based SQL payload in `term` parameter
Execution
Send GET /admin/organization/users with injected pg_sleep fragment
Persist
Measure response-time delta to confirm blind SQL execution
Impact
Iteratively query PostgreSQL via timing oracle to exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an active, authenticated session holding the organization administrator role in Decidim - anonymous users, regular participants, and space-level administrators cannot access `GET /admin/organization/users`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 6.8 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) accurately reflects the high privilege barrier: only organization administrators can reach the vulnerable endpoint, which sharply limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization administrator authenticates to a Decidim instance, then sends a crafted GET request to `/admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20--` with an `Accept: application/json` header. The server returns HTTP 200 after approximately 21 additional seconds compared to a baseline request, confirming that the `pg_sleep(21)` subquery was executed inside PostgreSQL's ORDER BY evaluation. …
Remediation Upgrade the `decidim-admin` gem to the patched release for your branch: version 0.30.9 for 0.30.x deployments, 0.31.5 for 0.31.x deployments, or 0.32.0 for 0.32.x deployments. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-45376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy