THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-86fh-w43w-338c (medium) — Decidim: Verification admins can access supplied IDs from other organizations

[GHSA] GHSA-86fh-w43w-338c (medium) — Decidim: Verification admins can access supplied IDs from other organizations

highgithub_advisoriesPublished 2026-07-13

GHSA-86fh-w43w-338c Severity: medium CVE: CVE-2026-45330

Decidim: Verification admins can access supplied IDs from other organizations

## Description

The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.

## Technical description

The verification admin controllers loads pending_authorization_id with a raw `Authorization.find(..

Indicators of compromise

Original source: https://github.com/advisories/GHSA-86fh-w43w-338c