RubySec

Providing security resources for the Ruby community

CVE-2026-45573 (decidim-core): Decidim - Push subscriptions can be abused for server-side requests

Decidim - Push subscriptions can be abused for server-side requests

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-core

SEVERITY

CVSS v3.x: 6.4 (Medium)

PATCHED VERSIONS

~> 0.30.9 ~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request sink when VAPID delivery is enabled. The practical result is an authenticated, stored, mostly blind SSRF primitive to arbitrary HTTPS endpoints reachable from the app server.

Impact

  • In a configured deployment, an authenticated user can register an attacker-controlled or otherwise unauthorized HTTPS URL.
  • The server then sends outbound POST requests there whenever a notification is pushed.
  • This is a stored, mostly blind SSRF primitive: useful for outbound interaction with attacker infrastructure and, where routable, internal HTTPS services.
  • Notification metadata is disclosed to the supplied endpoint through the encrypted web push request path.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED