Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Network-accessible Drupal route but PR:H required (elevated session prerequisite) and AC:H reflects non-trivial path enumeration; no availability impact applies.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. This issue affects Examples for Developers versions: from 0.0.0 to 4.0.6.
AnalysisAI
Missing Authorization in Drupal's Examples for Developers module (versions 0.0.0 through 4.0.5) permits forceful browsing by an already highly-privileged authenticated attacker, exposing restricted paths with limited confidentiality and integrity impact. All available signals converge on minimal real-world risk: CVSS scores 3.3 (Low), EPSS sits at 0.14% (4th percentile), SSVC reports no known exploitation and non-automatable attack conditions, and neither active exploitation nor public proof-of-concept code has been identified. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Examples for Developers Drupal contributed module (versions 0.0.0 through 4.0.5) to be installed and enabled on the target site - a condition that should not exist in production environments, as this module is explicitly a developer reference tool. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N yields a score of 3.3 (Low), and the high complexity (AC:H) combined with high required privileges (PR:H) severely constrains the practical attack surface - an attacker must already hold elevated Drupal credentials and navigate specific non-obvious conditions to trigger the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a high-privilege authenticated Drupal account - such as an administrator or a compromised privileged user - directly browses to restricted URL paths exposed by the Examples for Developers module that lack proper authorization checks. The missing access control allows the attacker to view or modify limited content or configuration data accessible through those routes without the system enforcing the intended permission boundary. … |
| Remediation | Update the Examples for Developers Drupal module to version 4.0.6 or later, as confirmed by the affected version range in EUVD-2026-43050 and the vendor advisory at https://www.drupal.org/sa-contrib-2026-044. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43050
GHSA-q6w5-4q59-rj5q