Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-vq6j-hj8w-7v39: Decidim: Forms admin question editor lacks authorization

0
Medium
Published: 07/13/2026 (07/13/2026, 16:51:05 UTC)
Source: GCVE Database
Product: decidim-demographics

Description

Decidim's demographics questionnaire admin editor lacks proper authorization checks, allowing normal participants to access and modify the admin question editor interface. This vulnerability permits low-privilege users to reach and interact with question-management features that should be restricted to administrators. The issue affects versions 0.31.0 up to but not including 0.31.5 of the decidim-demographics module. A patch is available as referenced in the Decidim GitHub repository. As a workaround, disabling the decidim-demographics module can prevent exploitation.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected software

RubyGemsghsa
decidim-demographics
Affected versions
>=0.31.0 <0.31.5
RubyGemsghsa
decidim-demographics
Affected versions
>=0.32.0.rc1 <0.32.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 10:02:46 UTC

Technical Analysis

The demographics questionnaire editor in Decidim does not enforce admin access control on the route /admin/demographics/questions, allowing authenticated non-admin participants to load and modify the admin question editor interface. This broken access control vulnerability (CWE-284) enables unauthorized users to access and alter questionnaire management surfaces intended only for administrators. The vulnerability affects decidim-demographics versions >=0.31.0 and <0.31.5. The issue was identified during a security audit and is tracked as CVE-2026-45086. A patch is available via Decidim's GitHub pull request 16665, and disabling the module is a recommended workaround until patched.

Potential Impact

Low-privilege users can access and modify the demographics questionnaire admin editor, potentially altering questionnaire content without proper authorization. This unauthorized access compromises the integrity of the questionnaire management but does not affect availability or confidentiality of questionnaire responses, as access to question responses and settings remains denied.

Mitigation Recommendations

A patch addressing this broken access control vulnerability is available in Decidim's GitHub repository (pull request 16665). Users should apply this official fix to restrict access to the demographics questionnaire admin editor to administrators only. As a temporary workaround, disabling the decidim-demographics module will prevent unauthorized access to the admin editor interface.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-vq6j-hj8w-7v39
Osv Schema Version
1.4.0
Aliases
["CVE-2026-45086"]
Ecosystems
["RubyGems"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a55ffc368715ace432fcccb

Added to database: 07/14/2026, 09:22:11 UTC

Last enriched: 07/14/2026, 10:02:46 UTC

Last updated: 07/14/2026, 10:02:46 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses