GHSA-767H-63J4-5226

Vulnerability from github – Published: 2026-07-13 17:00 – Updated: 2026-07-13 17:00
VLAI
Summary
Decidim: Private exports can be downloaded through reusable links
Details

Description

The normal download_your_data flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.

Technical description

This private export flow turns an authenticated, user-scoped download into a reusable bearer link because the protected Decidim endpoint redirects to the underlying Active Storage blob URL. Decidim::DownloadYourDataController#download_file correctly scopes the export record to current_user, so the wrapper route itself is not directly accessible to another user. However, once the owner performs that authenticated GET request, the response redirects to a signed Active Storage URL that is no longer bound to the user session. Anyone who learns that URL can replay it and retrieve the file without being logged in as the export owner.

Because the blob redirect URL is delivered through a GET request and appears in the redirect chain, it is more likely to leak through browser history, logs, proxy tooling, screenshots, copied links, support transcripts, or other client-side handling of URLs.

Reproduction steps:

Step 1. Generate or locate a completed export in the Web UI. 1. Sign in as user@example.org at http://localhost:3001/users/sign_in. 2. Open http://localhost:3001/download_your_data. 3. Request a new export from the page and wait until the export becomes downloadable. 4. Open the completed export entry from the list and copy its wrapper URL, for example http://localhost:3001/download_your_data/download?uuid=07286e61-932d-46d4-bd74-bcd1340c503f.

Step 2. Download through the authenticated wrapper route. 1. While still signed in as user@example.org, open the wrapper URL in the browser. 2. Confirm that this Decidim route requires the owner session and is not directly usable when logged out or when logged in as another user.

Step 3. Capture the final bearer URL in the redirect chain.

  1. In DevTools Network or Burp, inspect the redirect sequence for the wrapper request.
  2. Copy the Active Storage redirect URL, typically matching http://localhost:3001/rails/active_storage/blobs/redirect/<SIGNED_ID>/<FILENAME>.
  3. Note that the Active Storage redirect URL is no longer protected by the Decidim ownership check.

Step 4. Replay the final file URL without authentication. 1. Open a private window or separate browser with no Decidim session. 2. Paste the copied http://localhost:3001/rails/active_storage/blobs/redirect/<SIGNED_ID>/<FILENAME> URL. 3. Confirm the export file still downloads even though you are not logged in as the export owner.

Impact

Personal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.

Patches

See https://github.com/decidim/decidim/pull/16680

Workarounds

Disable Private Downloads URLs

Reference

OWASP A01:2021 Broken Access Control

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0.rc1"
            },
            {
              "fixed": "0.31.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "decidim-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0.rc1"
            },
            {
              "fixed": "0.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T17:00:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Description\n\nThe normal `download_your_data` flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.\n\n## Technical description\n \nThis private export flow turns an authenticated, user-scoped download into a reusable bearer link because the protected Decidim endpoint redirects to the underlying Active Storage blob URL. `Decidim::DownloadYourDataController#download_file` correctly scopes the export record to `current_user`, so the wrapper route itself is not directly accessible to another user. However, once the owner\nperforms that authenticated GET request, the response redirects to a signed Active Storage URL that is no longer bound to the user session. Anyone who learns that URL can replay it and retrieve the file without being logged in as the export owner.\n\nBecause the blob redirect URL is delivered through a GET request and appears in the redirect chain, it is more likely to leak through browser history, logs, proxy tooling, screenshots, copied links, support transcripts, or other client-side handling of URLs.\n\nReproduction steps:\n\nStep 1. Generate or locate a completed export in the Web UI.\n1. Sign in as `user@example.org` at `http://localhost:3001/users/sign_in`.\n2. Open `http://localhost:3001/download_your_data`.\n3. Request a new export from the page and wait until the export becomes downloadable.\n4. Open the completed export entry from the list and copy its wrapper URL, for example `http://localhost:3001/download_your_data/download?uuid=07286e61-932d-46d4-bd74-bcd1340c503f `.\n\nStep 2. Download through the authenticated wrapper route.\n1. While still signed in as user@example.org, open the wrapper URL in the browser.\n2. Confirm that this Decidim route requires the owner session and is not directly usable when logged out or when logged in as another user.\n\nStep 3. Capture the final bearer URL in the redirect chain.\n\n1. In DevTools Network or Burp, inspect the redirect sequence for the wrapper request.\n2. Copy the Active Storage redirect URL, typically matching `http://localhost:3001/rails/active_storage/blobs/redirect/\u003cSIGNED_ID\u003e/\u003cFILENAME\u003e`.\n3. Note that the Active Storage redirect URL is no longer protected by the Decidim ownership check.\n\nStep 4. Replay the final file URL without authentication.\n1. Open a private window or separate browser with no Decidim session.\n2. Paste the copied `http://localhost:3001/rails/active_storage/blobs/redirect/\u003cSIGNED_ID\u003e/\u003cFILENAME\u003e` URL.\n3. Confirm the export file still downloads even though you are not logged in as the export owner.\n\n### Impact\n\nPersonal data exports can be retrieved through leakage channels such as browser history, logs, referrers, screenshots, copied links, support transcripts, intercepted email content, or other client-side disclosure of the GET URL.\n\n### Patches\n\nSee https://github.com/decidim/decidim/pull/16680 \n\n### Workarounds\n\nDisable Private Downloads URLs\n\n### Reference\n\nOWASP A01:2021 Broken Access Control\n\n### Credits\n\nThis issue was discovered in a security audit organized by the [Decidim Association](https://decidim.org) and made by [Radically Open Security](https://www.radicallyopensecurity.com/) against Decidim financed by [NGI](https://ngi.eu/).",
  "id": "GHSA-767h-63j4-5226",
  "modified": "2026-07-13T17:00:08Z",
  "published": "2026-07-13T17:00:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/security/advisories/GHSA-767h-63j4-5226"
    },
    {
      "type": "WEB",
      "url": "https://github.com/decidim/decidim/pull/16680"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decidim/decidim"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Decidim: Private exports can be downloaded through reusable links"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…