Product
A high-severity vulnerability (CVE-2026-45378) in Decidim's identity document verification workflow allows unauthorized access to sensitive identity documents. Signed `/rails/active_storage/disk/` URLs, which are generated for administrator review, can be harvested and replayed by unauthenticated users for up to seven days, enabling attackers to bypass authentication and download highly sensitive personal information if these URLs are leaked through various channels.