RubySec

Providing security resources for the Ruby community

CVE-2026-45415 (decidim-verifications): Decidim - CSV census record endpoints improper authorization

Decidim - CSV census record endpoints improper authorization

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-verifications

SEVERITY

CVSS v3.x: 6.0 (Medium)

PATCHED VERSIONS

~> 0.30.9 ~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

A participant manager can access and modify the CSV census record admin forms.

Impact

Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED