Skip to main content

Advanced Content Feedback CVE-2026-13232

| EUVDEUVD-2026-43056 LOW
Incorrect Authorization (CWE-863)
2026-07-10 drupal GHSA-6xj8-mcp3-72g6
3.1
CVSS 3.1 · Vendor: drupal

Severity by source

Vendor (drupal) PRIMARY
3.1 LOW
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

Network-accessible Drupal module; low privileges required for authenticated session; high complexity for path enumeration; integrity-only, limited impact, no scope change.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Jul 13, 2026 - 21:16 vuln.today
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL LOW
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.8 (CRITICAL) 3.1 (LOW)
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.

AnalysisAI

Incorrect authorization in the Drupal Advanced Content Feedback (admin_feedback) contributed module allows authenticated low-privilege users to perform forceful browsing, accessing restricted feedback resources without proper authorization checks. All module releases from 0.0.0 up to (but not including) 2.8.0 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Drupal account
Delivery
Identify admin_feedback module route paths
Exploit
Craft direct HTTP requests to restricted feedback endpoints
Execution
Bypass authorization check
Impact
Access or modify restricted content feedback data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Drupal session with at least low-level privilege (PR:L per CVSS), meaning the attacker must hold a valid user account on the target site - unauthenticated visitors cannot exploit this flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.1 (Low) reflects a constrained risk profile: network-reachable (AV:N) but requiring existing authentication (PR:L) and elevated attack complexity (AC:H), with only a limited integrity impact (I:L) and no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege Drupal account (such as an authenticated editor or contributor) crafts direct HTTP requests to administrative content-feedback endpoints that are intended to be restricted to site administrators, exploiting the missing or incorrect authorization check. By enumerating or guessing module-specific URL paths, the attacker can read or potentially modify content feedback records beyond their assigned role. …
Remediation Upgrade the Advanced Content Feedback (admin_feedback) Drupal module to version 2.8.0 or later, as detailed in the Drupal security advisory SA-CONTRIB-2026-052 at https://www.drupal.org/sa-contrib-2026-052. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13232 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy