{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/decidim-decidim-verifications--0.31.0.rc1--0.31.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Decidim (decidim-verifications \u003c 0.30.9)","Decidim (decidim-verifications \u003e= 0.31.0.rc1, \u003c 0.31.5)","Decidim (decidim-verifications \u003e= 0.32.0.rc1, \u003c 0.32.0)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","access-control","data-leakage","rails","active-storage","decidim"],"_cs_type":"advisory","_cs_vendors":["Decidim"],"content_html":"\u003cp\u003eA significant vulnerability, identified as CVE-2026-45378, affects Decidim's identity document verification feature. This flaw allows sensitive scanned identity documents, submitted by participants and displayed in the administration workflow, to be exposed through signed \u003ccode\u003e/rails/active_storage/disk/\u003c/code\u003e URLs. These URLs are generated using \u003ccode\u003evariant_url(...)\u003c/code\u003e for \u003ccode\u003eDecidim::Authorization\u003c/code\u003e blobs, and their signature remains valid for approximately seven days. Crucially, these URLs can be accessed and the associated documents retrieved without any active authenticated session. This means that if an attacker obtains one of these signed links - potentially through browser history, screenshots, logs, or other leakage channels - they can bypass authentication checks and download highly sensitive personal information, posing a critical risk of data exfiltration and privacy breach for organizations utilizing Decidim's identity verification.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Admin Account)\u003c/strong\u003e: An attacker or malicious insider, possessing legitimate administrator credentials, signs into the Decidim application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNavigate to Verification Review\u003c/strong\u003e: The attacker navigates to the administrator review page for identity documents, such as \u003ccode\u003ehttp://localhost:3001/admin/id_documents\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGenerate Signed URL\u003c/strong\u003e: The Decidim application renders the scanned identity document images using \u003ccode\u003evariant_url(...)\u003c/code\u003e, which embeds signed \u003ccode\u003e/rails/active_storage/disk/...\u003c/code\u003e URLs directly into the HTML of the admin review page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHarvest Signed URL\u003c/strong\u003e: The attacker uses browser developer tools to intercept and copy one of the generated signed \u003ccode\u003e/rails/active_storage/disk/\u0026lt;SIGNED_TOKEN\u0026gt;/\u0026lt;FILENAME\u0026gt;\u003c/code\u003e URLs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltrate URL\u003c/strong\u003e: The attacker exfiltrates this harvested URL outside the legitimate admin session, potentially via copy-paste, screenshots, or other means that may introduce the URL into logs, browser history, or other less secure channels.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access (Unauthenticated)\u003c/strong\u003e: The attacker or an unauthenticated third party uses the harvested signed URL in a private browser window or a different system, without logging into Decidim, to directly access and download the sensitive identity document.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Retrieval\u003c/strong\u003e: The unauthenticated party successfully retrieves the identity document image, bypassing all authentication and authorization checks, for up to seven days while the signature remains valid.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability directly impacts organizations using Decidim's \u0026quot;Identity documents\u0026quot; verification feature, leading to potential unauthorized access and exfiltration of highly sensitive personal information. Any party that obtains a valid signed URL, even without authentication, can download the underlying scanned identity document for up to seven days. This significantly elevates the risk of data leakage through common channels such as browser history, screenshots, copy-pasting, support tickets, web server logs, analytics tooling, or malicious browser extensions that capture full URLs. The exposed data, being identity verification documents, typically contains personally identifiable information, making successful exploitation a critical privacy and compliance incident for affected individuals and organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule\u003c/strong\u003e in this brief to your SIEM to detect suspicious access patterns to \u003ccode\u003e/rails/active_storage/disk/\u003c/code\u003e endpoints, specifically looking for requests that may originate from unexpected sources or without a valid preceding authenticated session.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-45378\u003c/strong\u003e by updating \u003ccode\u003erubygems/decidim-verifications\u003c/code\u003e to versions \u003ccode\u003e0.30.9\u003c/code\u003e or later, \u003ccode\u003e0.31.5\u003c/code\u003e or later, or \u003ccode\u003e0.32.0\u003c/code\u003e or later, as referenced in the provided GitHub Security Advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement network-level monitoring\u003c/strong\u003e for webserver access logs to identify any anomalous access to URL paths containing \u003ccode\u003e/rails/active_storage/disk/\u003c/code\u003e from external or untrusted IP addresses, or those without expected session cookies/authentication headers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConsider temporarily disabling\u003c/strong\u003e the \u0026quot;Identity documents\u0026quot; verification feature in Decidim as a workaround until the patch for CVE-2026-45378 can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T17:15:46Z","date_published":"2026-07-13T17:15:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-decidim-auth-bypass/","summary":"A high-severity vulnerability (CVE-2026-45378) in Decidim's identity document verification workflow allows unauthorized access to sensitive identity documents. Signed `/rails/active_storage/disk/` URLs, which are generated for administrator review, can be harvested and replayed by unauthenticated users for up to seven days, enabling attackers to bypass authentication and download highly sensitive personal information if these URLs are leaked through various channels.","title":"Decidim Vulnerability Allows Unauthorized Access to Identity Documents via Reusable Signed URLs","url":"https://feed.craftedsignal.io/briefs/2026-07-decidim-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Decidim (Decidim-Verifications \u003e= 0.31.0.rc1, \u003c 0.31.5)","version":"https://jsonfeed.org/version/1.1"}