Skip to main content

Drupal AI CVE-2026-13235

| EUVDEUVD-2026-43059 LOW
Missing Authorization (CWE-862)
2026-07-10 drupal GHSA-4c7f-qhrm-6jc8
3.3
CVSS 3.1 · Vendor: drupal

Severity by source

Vendor (drupal) PRIMARY
3.3 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
3.3 LOW

Network-accessible but PR:H and AC:H because exploitation requires a pre-existing high-privilege session and non-trivial knowledge of unguarded route paths; no availability impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Jul 13, 2026 - 21:17 vuln.today
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL LOW
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.8 (CRITICAL) 3.3 (LOW)
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3.

AnalysisAI

Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege Drupal account
Delivery
Identify unguarded AI module route URLs
Exploit
Send direct HTTP request to restricted endpoint
Execution
Bypass missing authorization check
Impact
Read or modify AI module resources

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a high-privileged authenticated session within the target Drupal installation (PR:H per CVSS vector), meaning an anonymous or low-privileged user cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals consistently place this vulnerability in the low-priority tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Drupal user holding a high-privileged role - such as an administrator or a role granted elevated AI module permissions - manually navigates directly to an AI module endpoint URL that lacks an authorization check, bypassing the intended access boundary and reading or modifying AI-related resources they were not explicitly granted access to. No exploit tooling or POC exists at time of analysis, meaning exploitation requires deliberate manual effort and prior knowledge of the target URL paths.
Remediation The vendor has released patched versions addressing this vulnerability; site administrators should upgrade the Drupal AI module to version 1.2.17 (for sites on the 1.2.x branch), 1.3.8 (for the 1.3.x branch), or 1.4.3 (for the 1.4.x branch) per Drupal security advisory SA-contrib-2026-055 available at https://www.drupal.org/sa-contrib-2026-055. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy