THREAT OPS › Threat News › [GHSA] GHSA-3mvf-82qp-8qh5 (high) — Decidim: Verification documents can be downloaded through reusable links
[GHSA] GHSA-3mvf-82qp-8qh5 (high) — Decidim: Verification documents can be downloaded through reusable links
GHSA-3mvf-82qp-8qh5 Severity: high CVE: CVE-2026-45378
Decidim: Verification documents can be downloaded through reusable links
## Description
Scanned identity-document images provided by participants and shown in the verification admin workflow are exposed through signed `/rails/active_storage/disk/` URLs that can be fetched without any authenticated session.
Anyone who obtains one of those U
MITRE ATT&CK techniques
- Browser ExtensionsT1176.001
Indicators of compromise
- CVE-2026-45378cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-3mvf-82qp-8qh5