CVE-2026-45376

CVE-2026-45376 is a medium-severity SQL injection vulnerability in decidim-admin (rubygems), affecting versions < 0.30.9. It is fixed in 0.30.9, 0.31.5, 0.32.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Decidim: Admin user search allows SQL injection through similarity-based sorting

The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.

Technical description

The vulnerable endpoint is exposed as GET /admin/organization/users in decidim-admin/config/routes.rb:

resource :organization, only: [:edit, :update], controller: "organization" do
  member do
    get :users
  end
end

That route reaches Decidim::Admin::OrganizationController#users, which forwards the current organization's available users into search:

def users
  search(current_organization.users.available)
end

Inside search, the attacker-controlled source is params[:term]:

if (term = params[:term].to_s).present?

The query has two branches. In both branches, the WHERE predicates use bind parameters and are not the injection sink. The vulnerability is in the subsequent .order(Arel.sql(...)) calls, where the untrusted value is interpolated directly into SQL string literals.

Nickname branch:

nickname = term.delete("@")
relation.where("nickname LIKE ?", "#{nickname}%")
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("similarity(nickname, '#{nickname}') DESC")))

Name/email branch:

relation.where("name ILIKE ?", "%#{term}%").or(
  relation.where("email ILIKE ?", "%#{term}%")
)
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("GREATEST(similarity(name, '#{term}'), similarity(email, '#{term}')) DESC")))
  .order(Arel.sql(ActiveRecord::Base.sanitize_sql_array("(similarity(name, '#{term}') + similarity(email, '#{term}')) / 2 DESC")))

This use of sanitize_sql_array does not make the code safe. The interpolation happens first, so Rails receives an already-built SQL string rather than a statement with bind placeholders. As a result, a quote in term can terminate the intended string literal and inject attacker-controlled SQL into the ORDER BY expression.

For example, a payload such as slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) -- produces a fragment equivalent to:

GREATEST(similarity(name, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --'), similarity(email, 'slpleak '), COALESCE((SELECT 1 FROM pg_sleep(21)),0)) --')) DESC

The injected subquery is therefore evaluated by PostgreSQL as SQL, not treated purely as data. Because the sink is in ORDER BY, the endpoint can still return a normal 200 OK response while exposing the issue through measurable timing differences.

Source-to-sink chain:

  • Source: params[:term]
  • Propagation: term = params[:term].to_s
  • Sink: .order(Arel.sql(... "#{term}" ...)) and .order(Arel.sql(... "#{nickname}" ...))
  • Effect: attacker-controlled SQL is executed inside the database sort expression

Reproduction steps:

  1. Authenticate as an organization admin.
  2. Ensure the search returns at least one row for the chosen payload. For a deterministic test, create a temporary
    user whose name, email, or nickname matches the probe string.
  3. Send a control request to GET /admin/organization/users?term=test with Accept: application/json and record the response time.
  4. Send a payload request such as GET /admin/organization/users?term=slpleak%20%27%29%2C%20COALESCE%28%28SELECT%201%20FROM%20pg_sleep%2821%29%29%2C0%29%29%20-- with Accept: application/json.
  5. Observe that the endpoint still responds successfully, but the response time increases by approximately the sleep
    interval, demonstrating time-based SQL execution in the ORDER BY clause.

Workarounds

Review your administrator accesses and not give access to untrustworthy users

Reference

OWASP SQL Injection

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

Impact

  • Exploitation requires an authenticated admin session, which limits exposure but does not remove the underlying SQL injection risk.
  • An authenticated admin can inject arbitrary SQL expressions into the query's ORDER BY clause and use timing differences as a blind SQL oracle.
  • The injection happens inside a database expression, so the effect is not inherently limited to sorting the current organization user relation. Depending on the privileges of the application's PostgreSQL role, an attacker may be able to infer data from other tables readable by that role.
  • The issue remains exploitable even without verbose database errors because time-based payloads such as pg_sleep provide a reliable blind side channel.
  • Repeated long-running payloads can also be used to degrade availability by tying up database-backed requests.

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

CVE-2026-45376 has a CVSS score of 6.8 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.30.9, 0.31.5, 0.32.0); upgrading removes the vulnerable code path.

Affected versions

decidim-admin (< 0.30.9) decidim-admin (>= 0.31.0.rc1, < 0.31.5) decidim-admin (>= 0.32.0.rc1, < 0.32.0)

Security releases

decidim-admin → 0.30.9 (rubygems) decidim-admin → 0.31.5 (rubygems) decidim-admin → 0.32.0 (rubygems)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

See https://github.com/decidim/decidim/pull/16668

Frequently Asked Questions

  1. What is CVE-2026-45376? CVE-2026-45376 is a medium-severity SQL injection vulnerability in decidim-admin (rubygems), affecting versions < 0.30.9. It is fixed in 0.30.9, 0.31.5, 0.32.0. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. How severe is CVE-2026-45376? CVE-2026-45376 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of decidim-admin are affected by CVE-2026-45376? decidim-admin (rubygems) versions < 0.30.9 is affected.
  4. Is there a fix for CVE-2026-45376? Yes. CVE-2026-45376 is fixed in 0.30.9, 0.31.5, 0.32.0. Upgrade to this version or later.
  5. Is CVE-2026-45376 exploitable, and should I be worried? Whether CVE-2026-45376 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-45376 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-45376?
    • Upgrade decidim-admin to 0.30.9 or later
    • Upgrade decidim-admin to 0.31.5 or later
    • Upgrade decidim-admin to 0.32.0 or later

Other vulnerabilities in decidim-admin

Stop the waste.
Protect your environment with Kodem.