PT-2026-60064 · Rubygems · Decidim-Demographics
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-45086
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Description
A participant can load the demographics questionnaire admin editor and make changes.
Technical description
The demographics questionnaire editor should require admin access, but the route under
/admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.Reproduction steps:
Step 1. Sign in as a normal participant: Open
http://localhost:3000/users/sign in.
Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit questions in the same browser.
Step 3. Add another question:Note that access was denied when attempting to see question responses or settings.
Impact
- Low-privilege users can access questionnaire-admin interfaces.
- They can read question-management surfaces that should remain limited to questionnaire managers.
Patches
Workarounds
Disable the "decidim-demographics" module
Reference
OWASP A01:2021 Broken Access Control
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Decidim-Demographics