PT-2026-60064 · Rubygems · Decidim-Demographics

CVE-2026-45086

·

Publicado

2026-07-13

·

Atualizado

2026-07-13

CVSS v3.1

5.4

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

A participant can load the demographics questionnaire admin editor and make changes.

Technical description

The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.
Reproduction steps:
Step 1. Sign in as a normal participant: Open http://localhost:3000/users/sign in. Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit questions in the same browser. Step 3. Add another question:
decidim-questions-01
Note that access was denied when attempting to see question responses or settings.

Impact

  • Low-privilege users can access questionnaire-admin interfaces.
  • They can read question-management surfaces that should remain limited to questionnaire managers.

Patches

Workarounds

Disable the "decidim-demographics" module

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Correção

Improper Access Control

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-45086
GHSA-VQ6J-HJ8W-7V39

Produtos afetados

Decidim-Demographics