RubySec

Providing security resources for the Ruby community

CVE-2026-45086 (decidim-demographics): Decidim - Forms admin question editor lacks authorization

Decidim - Forms admin question editor lacks authorization

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-demographics

SEVERITY

CVSS v3.x: 5.4 (Medium)

UNAFFECTED VERSIONS

< 0.31.0

PATCHED VERSIONS

~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

A participant can load the demographics questionnaire admin editor and make changes.

Impact

  • Low-privilege users can access questionnaire-admin interfaces.
  • They can read question-management surfaces that should remain limited to questionnaire managers.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED