Decidim - CSV census record endpoints improper authorization
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45415 (NVD)
- GHSA: GHSA-q79h-67vx-m9xg
GEM
SEVERITY
CVSS v3.x: 6.0 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
A participant manager can access and modify the CSV census record admin forms.
Impact
Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45415
- https://rubygems.org/gems/decidim-verifications/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16674
- https://github.com/decidim/decidim/pull/16703
- https://advisories.gitlab.com/gem/decidim-verifications/CVE-2026-45415
- https://github.com/decidim/decidim/security/advisories/GHSA-q79h-67vx-m9xg
- https://github.com/advisories/GHSA-q79h-67vx-m9xg
