Skip to main content

Decidim CVE-2026-45377

MEDIUM
Information Exposure (CWE-200)
2026-07-13 https://github.com/decidim/decidim GHSA-767h-63j4-5226
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Attacker needs no Decidim credentials (PR:N) but the legitimate owner must first click the download link to generate the leakable URL (UI:R); full personal data export disclosed (C:H) with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:40 vuln.today
Analysis Generated
Jul 13, 2026 - 19:40 vuln.today

DescriptionGitHub Advisory

Description

The normal download_your_data flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.

Technical description

This private export flow turns an authenticated, user-scoped download into a reusable bearer link because the protected Decidim endpoint redirects to the underlying Active Storage blob URL. Decidim::DownloadYourDataController#download_file correctly scopes the export record to current_user, so the wrapper route itself is not directly accessible to another user. However, once the owner performs that authenticated GET request, the response redirects to a signed Active Storage URL that is no longer bound to the user session. Anyone who learns that URL can replay it and retrieve the file without being logged in as the export owner.

Because the blob redirect URL is delivered through a GET request and appears in the redirect chain, it is more likely to leak through browser history, logs, proxy tooling, screenshots, copied links, support transcripts, or other client-side handling of URLs.

Reproduction steps:

Step 1. Generate or locate a completed export in the Web UI.

  1. Sign in as user@example.org at http://localhost:3001/users/sign_in.
  2. Open http://localhost:3001/download_your_data.
  3. Request a new export from the page and wait until the export becomes downloadable.
  4. Open the completed export entry from the list and copy its wrapper URL, for example http://localhost:3001/download_your_data/download?uuid=07286e61-932d-46d4-bd74-bcd1340c503f .

Step 2. Download through the authenticated wrapper route.

  1. While still signed in as user@example.org, open the wrapper URL in the browser.
  2. Confirm that this Decidim route requires the owner session and is not directly usable when logged out or when logged in as another user.

Step 3. Capture the final bearer URL in the redirect chain.

  1. In DevTools Network or Burp, inspect the redirect sequence for the wrapper request.
  2. Copy the Active Storage redirect URL, typically matching http://localhost:3001/rails/active_storage/blobs/redirect/<SIGNED_ID>/<FILENAME>.
  3. Note that the Active Storage redirect URL is no longer protected by the Decidim ownership check.

Step 4. Replay the final file URL without authentication.

  1. Open a private window or separate browser with no Decidim session.
  2. Paste the copied http://localhost:3001/rails/active_storage/blobs/redirect/<SIGNED_ID>/<FILENAME> URL.
  3. Confirm the export file still downloads even though you are not logged in as the export owner.

Impact

Personal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.

Patches

See https://github.com/decidim/decidim/pull/16680

Workarounds

Disable Private Downloads URLs

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Private data exports in Decidim (decidim-core) are protected at the wrapper route level but expose reusable, session-unbound Active Storage blob redirect URLs that any party who obtains the URL can replay without authentication. The flaw affects all users of the download_your_data feature across three version lines of the decidim-core gem, allowing complete disclosure of a user's personal data export - GDPR-scope data - through passive leakage channels including browser history, proxy logs, referrer headers, screenshots, or shared support transcripts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Victim generates personal data export in Decidim UI
Delivery
Victim clicks authenticated download link triggering DownloadYourDataController
Exploit
Server issues 302 redirect to session-unbound Active Storage blob URL
Install
Signed blob URL leaks via browser history, proxy log, or referrer header
C2
Attacker obtains leaked URL through secondary channel
Execute
Attacker replays URL in unauthenticated session
Impact
Personal data export downloaded without authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires two sequential prerequisites. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N and score of 6.5 accurately characterizes the attack: network-reachable with low complexity and no attacker privileges, but conditional on the legitimate owner first accessing the download link (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targets a support representative who handles a Decidim user's data export request. After the user clicks the authenticated download link, the Active Storage redirect URL appears in the support tool's access log or is pasted into a ticket. …
Remediation Upgrade decidim-core to a patched version: 0.30.9 for the 0.30.x branch, 0.31.5 for the 0.31.x branch, or 0.32.0 for the 0.32.x branch, as described in the security advisory at https://github.com/decidim/decidim/security/advisories/GHSA-767h-63j4-5226 and implemented in PR https://github.com/decidim/decidim/pull/16680. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy