GHSA-q79h-67vx-m9xgMediumCVSS 6.0

Decidim: CSV census record endpoints improper authorization

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

A participant manager can access and modify the CSV census record admin forms.

Technical description

The CSV census admin record-management surface under /admin/csv_census/census_logs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum.

A participant manager (which can only manage participants) can therefore open the admin forms, create or update census rows, and delete rows directly.

Reproduction steps:

  1. Sign in a participant admin and open http://localhost:3000/admin/csv_census/census_logs/new_record in the browser. Confirm the create form loads even though the session is not a full admin.

Note that normal participant accounts were not able to access the CSV census records which is good.

Impact

Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows.

Patches

See https://github.com/decidim/decidim/pull/16674 and https://github.com/decidim/decidim/pull/16703

Workarounds

Disable Organization Census verification method

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

🎯 Affected products3

  • rubygems/decidim-verifications:< 0.30.9
  • rubygems/decidim-verifications:>= 0.31.0.rc1, < 0.31.5
  • rubygems/decidim-verifications:>= 0.32.0.rc1, < 0.32.0

🔗 References (4)