Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network forceful browsing (AV:N/AC:L/PR:N/UI:N) exposing/altering workflow content gives C:H/I:H, but a missing-access-check bypass does not plausibly cause full availability loss, so A:N.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0.
AnalysisAI
Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The prerequisite is that the target Drupal site has the LocalGov Workflows module installed and enabled at a version below 1.6.0 (0.0.0-1.6.0), and that the vulnerable route(s) are reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals here conflict and should be reconciled before treating this as an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote user, without any special role, directly requests a LocalGov Workflows route that lacks a proper access check (forceful browsing) and thereby views or triggers a workflow/moderation action they should not be permitted to perform. Given AV:N/AC:L/PR:N/UI:N the request needs no authentication, complexity, or user interaction, though no public POC or exploit code is currently identified. |
| Remediation | Upgrade the LocalGov Workflows module to version 1.6.0, which the vendor advisory identifies as the fixed release (Vendor-released patch: 1.6.0; per Drupal SA-CONTRIB-2026-039, https://www.drupal.org/sa-contrib-2026-039), then clear Drupal caches and rebuild the router so corrected access checks take effect. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all Drupal instances to identify deployment of the LocalGov Workflows contrib module and inventory installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43114
GHSA-m5cq-wg24-c9f2