Listen to this Post
The vulnerability arises from a design flaw in Decidim’s “Download Your Data” GDPR export feature. The normal flow for downloading a personal data export requires the requesting user to be authenticated and properly scoped as the owner of that export. The controller `Decidim::DownloadYourDataControllerdownload_file` correctly enforces this by checking that the export record belongs to the current_user, meaning the wrapper route itself is not directly accessible to other users.
However, once the authenticated owner makes a GET request to this wrapper endpoint, the server responds with an HTTP redirect to an underlying Active Storage blob URL. This blob URL is signed for temporary access but is no longer bound to the user session or to the Decidim ownership context. The redirect turns a protected, user-scoped download into a reusable bearer-style link.
Because the redirect happens via a standard GET request, the final blob URL appears in the redirect chain. This makes it susceptible to leakage through multiple common channels: browser history, HTTP logs, proxy tools, screenshots, copied links, support transcripts, and other client-side handling of URLs. An attacker who obtains this URL—even without ever being authenticated as the export owner—can replay it and retrieve the complete exported file.
The impact is that sensitive personal data exports can be accessed by unauthorized parties through information disclosure rather than direct brute-force or session hijacking. The vulnerability is classified under OWASP A01:2021 Broken Access Control. Patches are available in versions 0.30.9, 0.31.5, and 0.32.0.
DailyCVE Form:
Platform: Decidim
Version: <0.30.9, 0.31.0-0.31.4, 0.32.0-rc
Vulnerability: Broken Access Control
Severity: Moderate
date: 2026-07-13
Prediction: 2026-07-20
What Undercode Say
Analytics & Detection
Monitor access logs for direct requests to `/rails/active_storage/blobs/redirect/` that originate from IP addresses or user agents not associated with authenticated Decidim sessions. A high volume of such requests may indicate exploitation or reconnaissance.
Bash Commands & Codes
Check for unauthorized Active Storage blob access in logs:
grep "rails/active_storage/blobs/redirect" /var/log/decidim/production.log | awk '{print $1, $7, $9}'
Simulate the replay attack to verify exposure:
curl -I "http://localhost:3001/rails/active_storage/blobs/redirect/<SIGNED_ID>/<FILENAME>"
Exploit
- Generate a data export as the victim user.
- Obtain the wrapper URL from the UI or email.
- Perform the authenticated GET request while intercepting the redirect chain (e.g., using Burp Suite or browser DevTools).
- Copy the final Active Storage blob URL from the `Location` header.
- Replay the blob URL from an incognito browser or unauthenticated `curl` session to download the file.
Protection
- Upgrade to Decidim
0.30.9,0.31.5, or `0.32.0` immediately. - Workaround: Disable private downloads URLs via configuration if upgrading is not immediately possible.
- Network Controls: Restrict access to the `/rails/active_storage/blobs/redirect/` path to only trusted internal networks or require additional authentication at the reverse proxy level.
- Monitoring: Implement alerts for any access to blob redirect URLs without a preceding authenticated wrapper request.
Impact
- Unauthorized retrieval of personal data exports through leaked URLs.
- Exposure of sensitive user information (name, email, activity logs, etc.) via browser history, logs, referrers, screenshots, copied links, support transcripts, or intercepted emails.
- Violation of GDPR/DPO compliance requirements due to data leakage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

