CVE-2026-45377

MEDIUMPre-NVD 6.56.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Decidim: Private exports can be downloaded through reusable links

Description

The normal download_your_data flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.

Technical description

This private export flow turns an authenticated, user-scoped download into a reusable bearer link because the protected Decidim endpoint redirects to the underlying Active Storage blob URL. Decidim::DownloadYourDataController#download_file correctly scopes the export record to current_user, so the wrapper route itself is not directly accessible to another user. However, once the owner performs that authenticated GET request, the response redirects to a signed Active Storage URL that is no longer bound to the user session. Anyone who learns that URL can replay it and retrieve the file without being logged in as the export owner.

Because the blob redirect URL is delivered through a GET request and appears in the redirect chain, it is more likely to leak through browser history, logs, proxy tooling, screenshots, copied links, support transcripts, or other client-side handling of URLs.

Reproduction steps:

Step 1. Generate or locate a completed export in the Web UI.

  • Sign in as [email protected] at http://localhost:3001/users/sign_in.
  • Open http://localhost:3001/download_your_data.
  • Request a new export from the page and wait until the export becomes downloadable.
  • Open the completed export entry from the list and copy its wrapper URL, for example http://localhost:3001/download_your_data/download?uuid=07286e61-932d-46d4-bd74-bcd1340c503f .

Step 2. Download through the authenticated wrapper route.

  • While still signed in as [email protected], open the wrapper URL in the browser.
  • Confirm that this Decidim route requires the owner session and is not directly usable when logged out or when logged in as another user.

Step 3. Capture the final bearer URL in the redirect chain.

  • In DevTools Network or Burp, inspect the redirect sequence for the wrapper request.
  • Copy the Active Storage redirect URL, typically matching http://localhost:3001/rails/active_storage/blobs/redirect//.
  • Note that the Active Storage redirect URL is no longer protected by the Decidim ownership check.

Step 4. Replay the final file URL without authentication.

  • Open a private window or separate browser with no Decidim session.
  • Paste the copied http://localhost:3001/rails/active_storage/blobs/redirect// URL.
  • Confirm the export file still downloads even though you are not logged in as the export owner.

Impact

Personal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.

Patches

See https://github.com/decidim/decidim/pull/16680

Workarounds

Disable Private Downloads URLs

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

CVSS v3
6.5
EG Score
6.5(low)
EPSS
KEV
Not listed

Published

July 13, 2026

Last Modified

July 13, 2026

Vendor Advisories for CVE-2026-45377(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 3× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 21:09 UTCEG score recompute
  2. 2026-07-14 19:09 UTCEG score recompute
  3. 2026-07-13 17:08 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-45377?
CVE-2026-45377 is a medium vulnerability published on July 13, 2026. Decidim: Private exports can be downloaded through reusable links Description The normal downloadyourdata flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it. Technical…
When was CVE-2026-45377 disclosed?
CVE-2026-45377 was first published in the National Vulnerability Database on July 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-45377?
CVE-2026-45377 has a CVSS v4.0 base score of 6.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45377?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45377, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-45377

Explore →

Is Your Infrastructure Affected by CVE-2026-45377?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.