GHSA-vq6j-hj8w-7v39: Decidim: Forms admin question editor lacks authorization
Decidim's demographics questionnaire admin editor lacks proper authorization checks, allowing normal participants to access and modify the admin question editor interface. This vulnerability permits low-privilege users to reach and interact with question-management features that should be restricted to administrators. The issue affects versions 0.31.0 up to but not including 0.31.5 of the decidim-demographics module. A patch is available as referenced in the Decidim GitHub repository. As a workaround, disabling the decidim-demographics module can prevent exploitation.
AI Analysis
Technical Summary
The demographics questionnaire editor in Decidim does not enforce admin access control on the route /admin/demographics/questions, allowing authenticated non-admin participants to load and modify the admin question editor interface. This broken access control vulnerability (CWE-284) enables unauthorized users to access and alter questionnaire management surfaces intended only for administrators. The vulnerability affects decidim-demographics versions >=0.31.0 and <0.31.5. The issue was identified during a security audit and is tracked as CVE-2026-45086. A patch is available via Decidim's GitHub pull request 16665, and disabling the module is a recommended workaround until patched.
Potential Impact
Low-privilege users can access and modify the demographics questionnaire admin editor, potentially altering questionnaire content without proper authorization. This unauthorized access compromises the integrity of the questionnaire management but does not affect availability or confidentiality of questionnaire responses, as access to question responses and settings remains denied.
Mitigation Recommendations
A patch addressing this broken access control vulnerability is available in Decidim's GitHub repository (pull request 16665). Users should apply this official fix to restrict access to the demographics questionnaire admin editor to administrators only. As a temporary workaround, disabling the decidim-demographics module will prevent unauthorized access to the admin editor interface.
GHSA-vq6j-hj8w-7v39: Decidim: Forms admin question editor lacks authorization
Description
Decidim's demographics questionnaire admin editor lacks proper authorization checks, allowing normal participants to access and modify the admin question editor interface. This vulnerability permits low-privilege users to reach and interact with question-management features that should be restricted to administrators. The issue affects versions 0.31.0 up to but not including 0.31.5 of the decidim-demographics module. A patch is available as referenced in the Decidim GitHub repository. As a workaround, disabling the decidim-demographics module can prevent exploitation.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The demographics questionnaire editor in Decidim does not enforce admin access control on the route /admin/demographics/questions, allowing authenticated non-admin participants to load and modify the admin question editor interface. This broken access control vulnerability (CWE-284) enables unauthorized users to access and alter questionnaire management surfaces intended only for administrators. The vulnerability affects decidim-demographics versions >=0.31.0 and <0.31.5. The issue was identified during a security audit and is tracked as CVE-2026-45086. A patch is available via Decidim's GitHub pull request 16665, and disabling the module is a recommended workaround until patched.
Potential Impact
Low-privilege users can access and modify the demographics questionnaire admin editor, potentially altering questionnaire content without proper authorization. This unauthorized access compromises the integrity of the questionnaire management but does not affect availability or confidentiality of questionnaire responses, as access to question responses and settings remains denied.
Mitigation Recommendations
A patch addressing this broken access control vulnerability is available in Decidim's GitHub repository (pull request 16665). Users should apply this official fix to restrict access to the demographics questionnaire admin editor to administrators only. As a temporary workaround, disabling the decidim-demographics module will prevent unauthorized access to the admin editor interface.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-vq6j-hj8w-7v39
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-45086"]
- Ecosystems
- ["RubyGems"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a55ffc368715ace432fcccb
Added to database: 07/14/2026, 09:22:11 UTC
Last enriched: 07/14/2026, 10:02:46 UTC
Last updated: 07/14/2026, 10:02:46 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.