Decidim - Admin user search allows SQL injection through similarity-based sorting
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45376 (NVD)
- GHSA: GHSA-jvqq-cvh4-xm37
GEM
SEVERITY
CVSS v3.x: 6.8 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.
Impact
- Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
- An authenticated admin can inject arbitrary SQL expressions into
the query's
ORDER BYclause and use timing differences as a blind SQL oracle. - The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
- The issue remains exploitable even without verbose database errors
because time-based payloads such as
pg_sleepprovide a reliable blind side channel. - Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45376
- https://rubygems.org/gems/decidim-admin/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16668
- https://advisories.gitlab.com/gem/decidim-admin/CVE-2026-45376
- https://github.com/decidim/decidim/security/advisories/GHSA-jvqq-cvh4-xm37
- https://github.com/advisories/GHSA-jvqq-cvh4-xm37
