RubySec

Providing security resources for the Ruby community

CVE-2026-45377 (decidim-core): Decidim - Private exports can be downloaded through reusable links

Decidim - Private exports can be downloaded through reusable links

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-core

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

~> 0.30.9 ~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

The normal download_your_data flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.

Impact

Personal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED