THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-767h-63j4-5226 (medium) — Decidim: Private exports can be downloaded through reusable links

[GHSA] GHSA-767h-63j4-5226 (medium) — Decidim: Private exports can be downloaded through reusable links

highgithub_advisoriesPublished 2026-07-13

GHSA-767h-63j4-5226 Severity: medium CVE: CVE-2026-45377

Decidim: Private exports can be downloaded through reusable links

## Description

The normal `download_your_data` flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.

## Technical description

This private expor

Indicators of compromise

Original source: https://github.com/advisories/GHSA-767h-63j4-5226