Skip to main content

Decidim Verifications CVE-2026-45415

MEDIUM
Improper Authorization (CWE-285)
2026-07-13 https://github.com/decidim/decidim GHSA-q79h-67vx-m9xg
6.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
vuln.today AI
6.0 MEDIUM

Network vector because the admin panel is web-accessible; PR:H because participant manager is an authenticated privileged role; I:H for full census data mutation; C:L for census record read access; A:L for potential deletion of verification records.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:40 vuln.today
Analysis Generated
Jul 13, 2026 - 19:40 vuln.today

DescriptionGitHub Advisory

Description

A participant manager can access and modify the CSV census record admin forms.

Technical description

The CSV census admin record-management surface under /admin/csv_census/census_logs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum.

A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.

Reproduction steps:

  1. Sign in a participant admin and open http://localhost:3000/admin/csv_census/census_logs/new_record in the browser. Confirm the create form loads even though the session is not a full admin.

<img width="1541" height="274" alt="decidim-census-01" src="https://github.com/user-attachments/assets/859ee101-746f-4acb-8051-27036689f1b3" />

<img width="1538" height="363" alt="decidim-census-02" src="https://github.com/user-attachments/assets/85bbb004-a999-46dc-856c-fd32b50ced2c" />

Note that normal participant accounts were not able to access the CSV census records which is good.

Impact

Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.

Patches

See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703

Workarounds

Disable Organization Census verification method

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Improper authorization in Decidim's CSV census admin controller allows participant managers to read, create, update, and delete CSV census rows they are not permitted to access. The /admin/csv_census/census_logs endpoint family in decidim-verifications fails to call enforce_permission_to before rendering or mutating Decidim::Verifications::CsvDatum, granting participant managers the same data-mutation capability as full administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain participant manager credentials
Delivery
Authenticate to Decidim admin panel
Exploit
Navigate directly to /admin/csv_census/census_logs
Execution
Bypass missing permission check
Persist
Create, modify, or delete CSV census rows
Impact
Corrupt verification eligibility for targeted participants

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session holding the participant manager (process admin) role - a role that is intentionally granted to trusted users for managing participants but is not supposed to have access to census administration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.0 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L) accurately reflects the access requirements: exploitation requires a pre-existing participant manager (process admin) account, which represents high privilege in CVSS terms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised participant manager authenticates to the Decidim admin panel and directly navigates to `/admin/csv_census/census_logs/new_record`. Because no permission check is enforced, the create form loads normally. …
Remediation Upgrade `decidim-verifications` to a fixed release: 0.30.9 for installations on the 0.30.x branch, 0.31.5 for the 0.31.x branch, or 0.32.0 for the 0.32.x branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy