Decidim, Broken Access Control, CVE-2026-45086 (Moderate) -DC-Jul2026-940

Listen to this Post

How CVE-2026-45086 Works

The vulnerability exists in the `decidim-demographics` module of the Decidim participatory democracy platform. The demographics questionnaire editor is intended to be an administrative function, requiring admin-level access to modify questions. However, the route `/admin/demographics/questions` renders the editor interface without performing the necessary authorization checks to verify that the caller is indeed an admin.
An attacker with only a normal participant account can directly request this admin-only endpoint. By loading the page, the participant can see the live update form action, proving that the protected interface is reachable and functional. The reproduction steps are straightforward:
1. Sign in as a normal participant via `http://localhost:3000/users/sign_in`.
2. Directly access the admin editor at `http://localhost:3000/admin/demographics/questions/edit_questions` in the same browser session.
3. The attacker can then interact with the editor, for example, by adding another question.
It is important to note that while this interface is accessible, access is denied when attempting to view question responses or settings, limiting the immediate data exposure. The root cause is a classic case of Broken Access Control, which is categorized as OWASP A01:2021. The issue affects Decidim versions `0.31.0` through 0.31.4, as well as release candidates 0.32.0.rc1, 0.32.0.rc2, and 0.32.0.rc3. Patches are available in versions `0.31.5` and 0.32.0.

DailyCVE Form:

Platform: Decidim
Version: 0.31.0-0.31.4, 0.32.0.rc1-rc3
Vulnerability: Broken Access Control
Severity: Moderate
date: 2026-07-13

Prediction: 2026-07-13

What Undercode Say:

The vulnerability is patched in versions `0.31.5` and 0.32.0. The fix involves adding proper authorization checks to the `/admin/demographics/questions` route to ensure only users with admin privileges can access the questionnaire editor.
To verify if your instance is vulnerable, you can use the following command to check the installed version of the `decidim-demographics` gem:

bundle list | grep decidim-demographics

If the version is between `0.31.0` and `0.31.4` or any `0.32.0.rc` release, your system is affected.

Exploit:

A low-privilege user can exploit this vulnerability by following these steps:
1. Log in to the Decidim platform with a standard participant account.
2. Directly navigate to the admin editor URL: `http://[your-decideim-domain]/admin/demographics/questions/edit_questions`.
3. The attacker will be presented with the questionnaire management interface and can make unauthorized changes, such as adding, modifying, or deleting demographic questions.
The following `curl` command demonstrates how an attacker could potentially interact with the vulnerable endpoint, assuming they have a valid session cookie:

curl -X GET http://localhost:3000/admin/demographics/questions/edit_questions \
-H "Cookie: [bash]"

Protection:

The primary protection against this vulnerability is to upgrade to a patched version of Decidim.
– Upgrade: Update the `decidim-demographics` gem to version `0.31.5` or `0.32.0` or later.
– Workaround: If an immediate upgrade is not possible, the recommended workaround is to disable the `decidim-demographics` module entirely. This will remove the vulnerable functionality until a patch can be applied.

Impact:

  • Low-privilege users (normal participants) can access the questionnaire administration interfaces.
  • Attackers can read and modify question-management surfaces that should be strictly limited to questionnaire managers.
  • While access to view actual participant responses and settings is denied, the ability to alter the questionnaire itself can lead to data integrity issues and potential social engineering attacks by changing the questions presented to users.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top