THREAT OPS › Threat News › [GHSA] GHSA-86fh-w43w-338c (medium) — Decidim: Verification admins can access supplied IDs from other organizations
[GHSA] GHSA-86fh-w43w-338c (medium) — Decidim: Verification admins can access supplied IDs from other organizations
GHSA-86fh-w43w-338c Severity: medium CVE: CVE-2026-45330
Decidim: Verification admins can access supplied IDs from other organizations
## Description
The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant.
## Technical description
The verification admin controllers loads pending_authorization_id with a raw `Authorization.find(..
Indicators of compromise
- CVE-2026-45330cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-86fh-w43w-338c