PT-2026-60064 · Rubygems · Decidim-Demographics

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-45086

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description

A participant can load the demographics questionnaire admin editor and make changes.

Technical description

The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.
Reproduction steps:
Step 1. Sign in as a normal participant: Open http://localhost:3000/users/sign in. Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit questions in the same browser. Step 3. Add another question:
decidim-questions-01
Note that access was denied when attempting to see question responses or settings.

Impact

  • Low-privilege users can access questionnaire-admin interfaces.
  • They can read question-management surfaces that should remain limited to questionnaire managers.

Patches

Workarounds

Disable the "decidim-demographics" module

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45086
GHSA-VQ6J-HJ8W-7V39

Affected Products

Decidim-Demographics