THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-3mvf-82qp-8qh5 (high) — Decidim: Verification documents can be downloaded through reusable links

[GHSA] GHSA-3mvf-82qp-8qh5 (high) — Decidim: Verification documents can be downloaded through reusable links

highgithub_advisoriesPublished 2026-07-13

GHSA-3mvf-82qp-8qh5 Severity: high CVE: CVE-2026-45378

Decidim: Verification documents can be downloaded through reusable links

## Description

Scanned identity-document images provided by participants and shown in the verification admin workflow are exposed through signed `/rails/active_storage/disk/` URLs that can be fetched without any authenticated session.

Anyone who obtains one of those U

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-3mvf-82qp-8qh5