GHSA-vq6j-hj8w-7v39MediumCVSS 5.4

Decidim: Forms admin question editor lacks authorization

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

A participant can load the demographics questionnaire admin editor and make changes.

Technical description

The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the caller is an admin. A normal participant can load the page and see the live update form action, which proves the protected interface is reachable.

Reproduction steps:

Step 1. Sign in as a normal participant: Open http://localhost:3000/users/sign_in. Step 2. Request the admin-only editor directly. Open http://localhost:3000/admin/demographics/questions/edit_questions in the same browser. Step 3. Add another question:

Note that access was denied when attempting to see question responses or settings.

Impact

  • Low-privilege users can access questionnaire-admin interfaces.
  • They can read question-management surfaces that should remain limited to questionnaire managers.

Patches

See https://github.com/decidim/decidim/pull/16665

Workarounds

Disable the "decidim-demographics" module

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

🎯 Affected products2

  • rubygems/decidim-demographics:>= 0.31.0, < 0.31.5
  • rubygems/decidim-demographics:>= 0.32.0.rc1, < 0.32.0

🔗 References (3)