Skip to main content

LocalGov Workflows CVE-2026-10768

| EUVDEUVD-2026-43114 CRITICAL
Missing Authorization (CWE-862)
2026-07-10 drupal GHSA-m5cq-wg24-c9f2
9.8
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated network forceful browsing (AV:N/AC:L/PR:N/UI:N) exposing/altering workflow content gives C:H/I:H, but a missing-access-check bypass does not plausibly cause full availability loss, so A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 14, 2026 - 17:30 vuln.today
CVSS changed
Jul 14, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:41 cve.org
CRITICAL 9.8
CVE Published
Jul 10, 2026 - 21:41 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0.

AnalysisAI

Missing authorization in the Drupal LocalGov Workflows contrib module (all versions 0.0.0 through 1.6.0, fixed in 1.6.0) lets remote attackers reach protected workflow-related routes through forceful browsing without proper permission checks. The flaw carries a vendor CVSS of 9.8 (AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site running LocalGov Workflows
Exploit
Request protected workflow route directly
Execution
Bypass missing authorization check
Impact
Access or alter workflow-controlled content

Vulnerability AssessmentAI

Exploitation The prerequisite is that the target Drupal site has the LocalGov Workflows module installed and enabled at a version below 1.6.0 (0.0.0-1.6.0), and that the vulnerable route(s) are reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals here conflict and should be reconciled before treating this as an emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote user, without any special role, directly requests a LocalGov Workflows route that lacks a proper access check (forceful browsing) and thereby views or triggers a workflow/moderation action they should not be permitted to perform. Given AV:N/AC:L/PR:N/UI:N the request needs no authentication, complexity, or user interaction, though no public POC or exploit code is currently identified.
Remediation Upgrade the LocalGov Workflows module to version 1.6.0, which the vendor advisory identifies as the fixed release (Vendor-released patch: 1.6.0; per Drupal SA-CONTRIB-2026-039, https://www.drupal.org/sa-contrib-2026-039), then clear Drupal caches and rebuild the router so corrected access checks take effect. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all Drupal instances to identify deployment of the LocalGov Workflows contrib module and inventory installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy