CVE-2026-45378: decidim-verifications Unauthenticated Access to Signed Identity Document URLs
Decidim's identity-document verification workflow embeds long-lived signed file URLs directly in admin pages, letting anyone who obtains one of those links download a user's scanned ID without logging
The problem
The admin review pages for the "Identity documents" verification workflow render uploaded scans using `variant_url(...)`. That helper emits a raw signed `/rails/active_storage/disk/<TOKEN>/<FILENAME>` URL directly into the HTML.
Because Rails Active Storage disk-service URLs carry their own HMAC signature as the access credential, no session cookie or Decidim authentication check is performed when the URL is fetched. Decidim configures those signatures to remain valid for seven days, giving any observer of the URL a week-long, session-free download window over sensitive personal data (passport scans, national ID cards, etc.).
Proof of concept
A working proof-of-concept for CVE-2026-45378 in decidim-verifications, with the exact payload below.
# 1. Log in as a normal user and submit an ID-document verification.
# 2. Log in as admin and open the pending-verifications review page.
GET http://localhost:3001/admin/id_documents
# 3. From the rendered HTML (or DevTools Network tab), harvest the signed URL:
# <img src="http://localhost:3001/rails/active_storage/disk/<SIGNED_TOKEN>/<FILENAME>">
# 4. In a private/unauthenticated browser window, replay the URL:
GET http://localhost:3001/rails/active_storage/disk/<SIGNED_TOKEN>/<FILENAME>
# => 200 OK — full identity-document image returned, no session required.Root cause is CWE-200: the view delegates image access entirely to the Active Storage disk-service HMAC signature instead of routing the file through a Decidim controller that enforces an admin session check. The signature itself becomes the bearer credential, and it is embedded in cleartext HTML visible to anyone with admin access, browser extensions, proxies, logs, or support workflows.
PR #16680 fixes this by replacing `variant_url(...)` calls in the pending and confirmation admin views with a controller-proxied route. That route verifies the requester holds a valid authenticated admin session before streaming the blob, so the signed disk URL is never exposed to the client at all.
The fix
Upgrade `decidim-verifications` to version 0.30.9 or later. If an immediate upgrade is not possible, disable the "Identity documents" verification method in the organization settings as a temporary workaround.
Reported by Radically Open Security (security audit commissioned by the Decidim Association, financed by NGI).
Related research
- high · 8.5CVE-2026-45414CVE-2026-45414: Decidim JWT Cross-Organization Authentication Bypass
- highCVE-2026-53727CVE-2026-53727: css_parser SSRF and Local File Disclosure via @import
- high · 7.4pay: Paddle Billing Webhook Signature Timing Oracle (CWE-208)
- critical · 9TSDProxy: Internal Auth Token Leaked to Backend Services Enables Management API Takeover