Information Exposure Affecting decidim-participatory_processes package, versions <0.30.9>=0.31.0.rc1, <0.31.5>=0.32.0.rc1, <0.32.0.rc2


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-DECIDIMPARTICIPATORYPROCESSES-17970855
  • published14 Jul 2026
  • disclosed13 Jul 2026
  • creditUnknown

Introduced: 13 Jul 2026

NewCVE-2026-45378  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade decidim-participatory_processes to version 0.30.9, 0.31.5, 0.32.0.rc2 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure via the variant_url process. An attacker can access sensitive identity-document images by obtaining and replaying signed Active Storage URLs embedded in admin review pages, without requiring authentication. This is only exploitable if the "Identity documents" verification feature is enabled.

CVSS Base Scores

version 4.0
version 3.1