Decidim Verifications CVE-2026-45415
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Network vector because the admin panel is web-accessible; PR:H because participant manager is an authenticated privileged role; I:H for full census data mutation; C:L for census record read access; A:L for potential deletion of verification records.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Description
A participant manager can access and modify the CSV census record admin forms.
Technical description
The CSV census admin record-management surface under /admin/csv_census/census_logs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum.
A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.
Reproduction steps:
- Sign in a participant admin and open
http://localhost:3000/admin/csv_census/census_logs/new_recordin the browser. Confirm the create form loads even though the session is not a full admin.
<img width="1541" height="274" alt="decidim-census-01" src="https://github.com/user-attachments/assets/859ee101-746f-4acb-8051-27036689f1b3" />
<img width="1538" height="363" alt="decidim-census-02" src="https://github.com/user-attachments/assets/85bbb004-a999-46dc-856c-fd32b50ced2c" />
Note that normal participant accounts were not able to access the CSV census records which is good.
Impact
Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.
Patches
See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703
Workarounds
Disable Organization Census verification method
Reference
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
AnalysisAI
Improper authorization in Decidim's CSV census admin controller allows participant managers to read, create, update, and delete CSV census rows they are not permitted to access. The /admin/csv_census/census_logs endpoint family in decidim-verifications fails to call enforce_permission_to before rendering or mutating Decidim::Verifications::CsvDatum, granting participant managers the same data-mutation capability as full administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session holding the participant manager (process admin) role - a role that is intentionally granted to trusted users for managing participants but is not supposed to have access to census administration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.0 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L) accurately reflects the access requirements: exploitation requires a pre-existing participant manager (process admin) account, which represents high privilege in CVSS terms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised participant manager authenticates to the Decidim admin panel and directly navigates to `/admin/csv_census/census_logs/new_record`. Because no permission check is enforced, the create form loads normally. … |
| Remediation | Upgrade `decidim-verifications` to a fixed release: 0.30.9 for installations on the 0.30.x branch, 0.31.5 for the 0.31.x branch, or 0.32.0 for the 0.32.x branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q79h-67vx-m9xg