Decidim - Private exports can be downloaded through reusable links
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45377 (NVD)
- GHSA: GHSA-767h-63j4-5226
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
The normal download_your_data flow requires the requester to be
logged in as the export owner, but the resulting Active Storage blob
redirect URL can be replayed without authentication by anyone who obtains it.
Impact
Personal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45377
- https://rubygems.org/gems/decidim-core/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16680
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45377
- https://github.com/decidim/decidim/security/advisories/GHSA-767h-63j4-5226
- https://github.com/advisories/GHSA-767h-63j4-5226
