GHSA-Q79H-67VX-M9XG

Vulnerability from github – Published: 2026-07-13 17:17 – Updated: 2026-07-13 17:17
VLAI
Summary
Decidim: CSV census record endpoints improper authorization
Details

Description

A participant manager can access and modify the CSV census record admin forms.

Technical description

The CSV census admin record-management surface under /admin/csv_census/census_logs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum.

A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.

Reproduction steps: 1. Sign in a participant admin and open http://localhost:3000/admin/csv_census/census_logs/new_record in the browser. Confirm the create form loads even though the session is not a full admin.

decidim-census-01

decidim-census-02

Note that normal participant accounts were not able to access the CSV census records which is good.

Impact

Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.

Patches

See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703

Workarounds

Disable Organization Census verification method

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-verifications"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-verifications"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0.rc1"
            },
            {
              "fixed": "0.31.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-verifications"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0.rc1"
            },
            {
              "fixed": "0.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T17:17:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Description\n\nA participant manager can access and modify the CSV census record admin forms.\n\n## Technical description\n\nThe CSV census admin record-management surface under `/admin/csv_census/census_logs` does not enforce admin-only authorization before rendering or mutating `Decidim::Verifications::CsvDatum`.\n\nA participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.\n\nReproduction steps:\n1. Sign in a participant admin and open `http://localhost:3000/admin/csv_census/census_logs/new_record` in the browser. Confirm the create form loads even though the session is not a full admin.\n\n\u003cimg width=\"1541\" height=\"274\" alt=\"decidim-census-01\" src=\"https://github.com/user-attachments/assets/859ee101-746f-4acb-8051-27036689f1b3\" /\u003e\n\n\u003cimg width=\"1538\" height=\"363\" alt=\"decidim-census-02\" src=\"https://github.com/user-attachments/assets/85bbb004-a999-46dc-856c-fd32b50ced2c\" /\u003e\n\nNote that normal participant accounts were not able to access the CSV census records which is good.\n\n### Impact\n \nAny participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.\n\n### Patches\n\nSee https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703 \n\n### Workarounds\n\nDisable Organization Census verification method\n\n### Reference\n\nOWASP A01:2021 Broken Access Control\n\n### Credits\n\nThis issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).",
  "id": "GHSA-q79h-67vx-m9xg",
  "modified": "2026-07-13T17:17:33Z",
  "published": "2026-07-13T17:17:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-q79h-67vx-m9xg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/16674"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/16703"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decidim/decidim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Decidim: CSV census record endpoints improper authorization"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…