THREAT OPS › Threat News › [GHSA] GHSA-767h-63j4-5226 (medium) — Decidim: Private exports can be downloaded through reusable links
[GHSA] GHSA-767h-63j4-5226 (medium) — Decidim: Private exports can be downloaded through reusable links
GHSA-767h-63j4-5226 Severity: medium CVE: CVE-2026-45377
Decidim: Private exports can be downloaded through reusable links
## Description
The normal `download_your_data` flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it.
## Technical description
This private expor
Indicators of compromise
- CVE-2026-45377cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-767h-63j4-5226