CVE-2026-45376

MEDIUMPre-NVD 6.86.8
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.8
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Decidim: Admin user search allows SQL injection through similarity-based sorting

The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.

Technical description

The vulnerable endpoint is exposed as GET /admin/organization/users in decidim-admin/config/routes.rb:

resource :organization, only: [:edit, :update], controller: "organization" do
  member do
    get :users
  end
end

That route reaches Decidim::Admin::OrganizationController#users, which forwards the current organization's available users into search:

def users
  search(current_organization.users.available)
end

Inside search, the attacker-controlled source is params[:term]:

if (term = params[:term].to_s).present?

The query has two branches. In both branches, the WHERE predicates use bind parameters and are not the injection sink. The vulnerability is in the subsequent .order(Arel.sql(...)) calls, where the untrusted value is interpolated directly into SQL string literals.

Nickname branch:

nickname = term.delete("@")
relation.where("nickname LIKE ?", "#{nickname}%")
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("similarity(nickname, '#{nickname}') DESC")))

Name/email branch:

relation.where("name ILIKE ?", "%#{term}%").or(
  relation.where("email ILIKE ?", "%#{term}%")
)
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("GREATEST(similarity(name, '#{term}'), similarity(email, '#{term}')) DESC")))
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("(similarity(name, '#{term}') + similarity(email, '#{term}')) / 2 DESC")))

This use of sanitize_sql_array does not make the code safe. The interpolation happens first, so Rails receives an already-built SQL string rather than a statement with bind placeholders. As a result, a quote in term can terminate the intended string literal and inject attacker-controlled SQL into the ORDER BY expression.

For example, a payload such as slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) -- produces a fragment equivalent to:

GREATEST(similarity(name, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --'), similarity(email, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --')) DESC

The injected subquery is therefore evaluated by PostgreSQL as SQL, not treated purely as data. Because the sink is in ORDER BY, the endpoint can still return a normal 200 OK response while exposing the issue through measurable timing differences.

Source-to-sink chain:

* Source: params[:term] * Propagation: term = params[:term].to_s * Sink: .order(Arel.sql(... "#{term}" ...)) and .order(Arel.sql(... "#{nickname}" ...)) * Effect: attacker-controlled SQL is executed inside the database sort expression

Reproduction steps:

  • Authenticate as an organization admin.
  • Ensure the search returns at least one row for the chosen payload. For a deterministic test, create a temporary
user whose name, email, or nickname matches the probe string.
  • Send a control request to GET /admin/organization/users?term=test with Accept: application/json and record the response time.
  • Send a payload request such as GET /admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20-- with Accept: application/json.
  • Observe that the endpoint still responds successfully, but the response time increases by approximately the sleep
interval, demonstrating time-based SQL execution in the ORDER BY clause.

Impact

  • Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
  • An authenticated admin can inject arbitrary SQL expressions into the query's ORDER BY clause and use timing differences as a blind SQL oracle.
  • The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
  • The issue remains exploitable even without verbose database errors because time-based payloads such as pg_sleep provide a reliable blind side channel.
  • Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.

Patches

See https://github.com/decidim/decidim/pull/16668

Workarounds

Review your administrator accesses and not give access to untrustworthy users

Reference

OWASP SQL Injection

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

CVSS v3
6.8
EG Score
6.8(low)
EPSS
KEV
Not listed

Published

July 13, 2026

Last Modified

July 13, 2026

Vendor Advisories for CVE-2026-45376(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 19:56 UTCEG score recompute
  2. 2026-07-14 18:32 UTCEG score recompute
  3. 2026-07-13 17:08 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-45376?
CVE-2026-45376 is a medium vulnerability published on July 13, 2026. Decidim: Admin user search allows SQL injection through similarity-based sorting The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by…
When was CVE-2026-45376 disclosed?
CVE-2026-45376 was first published in the National Vulnerability Database on July 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-45376?
CVE-2026-45376 has a CVSS v4.0 base score of 6.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45376?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45376, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-45376

Explore →

Is Your Infrastructure Affected by CVE-2026-45376?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.