EXECUTIVE SUMMARY:
A vulnerability has been CVE-2025-65017 identified in the Decidim open-source platforms private data export functionality that could allow attackers to cause unauthorized exposure of private user details. The vulnerability stems from a defect in UUID generation that can lead to collisions during private export operations, potentially enabling an attacker to access or download another users private export file without proper authorization. The issue affects Decidim versions and has been addressed in version; organizations using affected releases are advised to update promptly to mitigate the risk of data leaks and protect sensitive information. The vulnerability has a CVSS score of 8.2.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: