Skip to main content

Drupal ECA CVE-2026-15083

| EUVDEUVD-2026-43078 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-07-10 drupal GHSA-7h4c-w76p-j34c
4.2
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.2 MEDIUM

Network-reachable but high complexity and low-privilege authentication required; limited confidentiality and integrity impact with no availability effect and no scope change.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:47 vuln.today
CVSS changed
Jul 13, 2026 - 19:22 NVD
4.2 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.

AnalysisAI

Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Drupal with low-privileged account
Delivery
Identify ECA endpoint consuming dynamic object attributes
Exploit
Craft payload injecting unauthorized object properties
Execution
Trigger ECA event processing with malicious request
Impact
Manipulate workflow logic to read restricted data or alter action outcomes

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Drupal account with at least low-privileged access, as confirmed by the CVSS PR:L metric - fully unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) reflects a constrained but genuine risk: the vulnerability is network-reachable and requires no user interaction, but demands authenticated access at low privilege level and high attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged Drupal user - such as a contributor or editor with access to ECA-exposed endpoints - crafts a request that injects unexpected object attributes into a dynamically-constructed ECA object during event processing. By exploiting the insufficient property allowlisting, the attacker manipulates internal object state to read restricted data or alter ECA workflow outcomes such as condition evaluations or action parameters. …
Remediation Upgrade the ECA module to a fixed release per the vendor advisory at https://www.drupal.org/sa-contrib-2026-074. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy