Listen to this Post
How CVE-2026-45378 Works
This vulnerability resides in Decidim’s identity document verification workflow, specifically within the admin panel. The core issue is that the admin interface exposes scanned identity documents through signed, but publicly accessible, Active Storage URLs.
When an admin reviews a user’s verification request, the application generates a URL for the document image using the `variant_url` method. This method produces a link to /rails/active_storage/disk/..., which is a signed URL that allows direct access to the file. The critical flaw is that this link bypasses any authorization checks within the Decidim application itself. Once generated, the URL becomes a bearer token; anyone in possession of it can download the file.
The exposure is exacerbated by Decidim’s default configuration, which keeps these signed URLs valid for seven days. This lengthy validity period significantly increases the window of opportunity for an attacker to discover and exploit a leaked link.
An attacker can obtain these URLs through various means. The URL is embedded directly in the HTML source of the admin review pages. It can be captured from network traffic using browser developer tools or intercepted from proxy logs. Furthermore, the URL can be leaked via browser history, server logs, support tickets, or any other channel that records full HTTP requests.
The reproduction steps are straightforward:
- A normal user submits a verification request with an image attachment.
- An admin logs in and navigates to the admin review page for identity documents.
- The admin uses browser DevTools to copy the network request URL matching the `/rails/active_storage/disk/…` pattern.
- This URL can then be pasted into a private browser window where the user is not logged into Decidim, and the document image will still load successfully.
This vulnerability leads to the unauthorized disclosure of sensitive personal information contained in identity documents.
DailyCVE Form
Platform: Decidim
Version: <0.30.9, 0.31.0.rc1 – <0.31.5, 0.32.0.rc1 – <0.32.0
Vulnerability: Broken Access Control
Severity: High
date: 2026-07-13
Prediction: 2026-07-13
What Undercode Say: Analytics
- Attack Vector: Network-based. The vulnerability is exploitable remotely over the network.
- Attack Complexity: Low. No specialized conditions are required; the attacker simply needs to obtain a valid URL.
- Privileges Required: None to access the document once the URL is obtained. However, an admin session is initially required to generate the URL.
- User Interaction: Required. An admin must view the verification request in the admin panel, which generates the vulnerable URL. An attacker relies on this action.
- Confidentiality Impact: High. Successful exploitation leads to the disclosure of sensitive identity documents.
Exploit
A successful exploit relies on obtaining a valid Active Storage URL. The following conceptual steps and code snippets illustrate the process:
1. Intercept the URL: While an admin is reviewing a pending verification, intercept the network traffic (e.g., using browser DevTools or a proxy like Burp Suite) to capture the request for the document image.
Example of the vulnerable URL format captured from the network tab GET /rails/active_storage/disk/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDd...==/filename.png
2. Replay the Request: Use a tool like `curl` to replay the captured request from a machine that is not authenticated with the Decidim application.
Replaying the captured URL to download the file without any session cookie curl -X GET "https://target-decideim.com/rails/active_storage/disk/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaDd...==/filename.png" --output downloaded_document.png
3. Verify the Exploit: The `downloaded_document.png` file will be the same identity document that was uploaded by the user, confirming the data leak.
Protection
The primary protection against CVE-2026-45378 is to update Decidim to a patched version as soon as possible. The vulnerability has been fixed in the following releases:
Decidim `0.30.9`
Decidim `0.31.5`
Decidim `0.32.0`
If an immediate upgrade is not possible, the recommended workaround is to disable the “Identity documents” verification method entirely. This removes the vulnerable functionality from the application.
As a general security best practice, organizations should ensure that all sensitive file accesses are routed through an authorization-checking controller rather than relying on signed, publicly accessible URLs.
Impact
- Confidentiality Breach: The primary impact is the unauthorized exposure of sensitive personally identifiable information (PII) found on identity documents, such as full names, addresses, dates of birth, and government ID numbers. This constitutes a significant data breach.
- Widespread Leakage Channels: The seven-day validity of the URLs creates a large attack surface. Links can be leaked through various channels, including browser history, screenshots, copy-paste actions, support tickets, server logs, analytics tools, and malicious browser extensions.
- Affected Deployments: This vulnerability only impacts Decidim instances that have the “Identity documents” verification feature enabled.
- Compliance Violations: The exposure of such sensitive data can lead to violations of data protection regulations like GDPR, resulting in significant fines and reputational damage.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

