Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-reachable but requires authenticated low-privilege account and non-trivial endpoint knowledge; no availability impact from authorization bypass alone.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.
AnalysisAI
Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Drupal user account with at least low-level privileges (PR:L per CVSS vector) - this is not an unauthenticated attack. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.2 (Medium) reflects genuine but bounded risk: AV:N indicates network reachability, but AC:H signals that exploitation is non-trivial and PR:L confirms that a valid authenticated account is required, not a fully unauthenticated attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege Drupal account on an affected site directly navigates to protected AI Agents module endpoints - bypassing the UI navigation that would normally enforce role-based access - and accesses restricted data or triggers restricted functionality. Exploitation is non-trivial, requiring knowledge of the target endpoint structure and an authenticated session, but no public exploit or proof-of-concept has been identified. |
| Remediation | Drupal has released patched versions for all affected branches. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43060
GHSA-vqr6-3h85-q7hp