Decidim - Forms admin question editor lacks authorization
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45086 (NVD)
- GHSA: GHSA-vq6j-hj8w-7v39
GEM
SEVERITY
CVSS v3.x: 5.4 (Medium)
UNAFFECTED VERSIONS
< 0.31.0
PATCHED VERSIONS
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
A participant can load the demographics questionnaire admin editor and make changes.
Impact
- Low-privilege users can access questionnaire-admin interfaces.
- They can read question-management surfaces that should remain limited to questionnaire managers.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45086
- https://rubygems.org/gems/decidim-core/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/pull/16665
- https://advisories.gitlab.com/gem/decidim-demographics/CVE-2026-45086
- https://github.com/decidim/decidim/security/advisories/GHSA-vq6j-hj8w-7v39
- https://github.com/advisories/GHSA-vq6j-hj8w-7v39
