THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-2g9c-vf8h-prxx (medium) — Decidim: Push subscriptions can be abused for server-side requests

[GHSA] GHSA-2g9c-vf8h-prxx (medium) — Decidim: Push subscriptions can be abused for server-side requests

highgithub_advisoriesPublished 2026-07-13

GHSA-2g9c-vf8h-prxx Severity: medium CVE: CVE-2026-45573

Decidim: Push subscriptions can be abused for server-side requests

## Description

The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request sink when VAPID delivery is enabled. The practical result is an authenticated, stored, mostly blind SSRF primitive to arbitr

Indicators of compromise

Original source: https://github.com/advisories/GHSA-2g9c-vf8h-prxx