Decidim - Push subscriptions can be abused for server-side requests
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45573 (NVD)
- GHSA: GHSA-2g9c-vf8h-prxx
GEM
SEVERITY
CVSS v3.x: 6.4 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request sink when VAPID delivery is enabled. The practical result is an authenticated, stored, mostly blind SSRF primitive to arbitrary HTTPS endpoints reachable from the app server.
Impact
- In a configured deployment, an authenticated user can register an attacker-controlled or otherwise unauthorized HTTPS URL.
- The server then sends outbound
POSTrequests there whenever a notification is pushed. - This is a stored, mostly blind SSRF primitive: useful for outbound interaction with attacker infrastructure and, where routable, internal HTTPS services.
- Notification metadata is disclosed to the supplied endpoint through the encrypted web push request path.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45573
- https://rubygems.org/gems/decidim-core/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16714
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45573
- https://github.com/decidim/decidim/security/advisories/GHSA-2g9c-vf8h-prxx
- https://github.com/advisories/GHSA-2g9c-vf8h-prxx
