Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Theme Negotiation by Rules module, affecting all versions from 0.0.0 before 1.2.1. An attacker can exploit this flaw to perform unauthorized actions on behalf of authenticated users by crafting malicious requests that bypass CSRF protections in the theme negotiation functionality. The vulnerability has been officially documented by the Drupal security team via SA-contrib-2026-012, and users of this contrib module should prioritize patching to version 1.2.1 or later.
Technical ContextAI
The vulnerability resides in the Drupal Theme Negotiation by Rules module (CPE: cpe:2.3:a:drupal:theme_negotiation_by_rules:*:*:*:*:*:*:*:*), which is responsible for dynamically selecting and applying themes based on configurable rules within the Drupal content management system. The root cause is classified under CWE-352 (Cross-Site Request Forgery), indicating a failure to implement proper CSRF token validation or Same-Site cookie protections on administrative or user-facing operations that modify theme settings. This allows attackers to forge requests that bypass Drupal's standard CSRF defenses when the module fails to validate security tokens on sensitive endpoints.
RemediationAI
Upgrade the Theme Negotiation by Rules module to version 1.2.1 or later immediately using Drupal's module update interface or via Composer. Visit https://www.drupal.org/sa-contrib-2026-012 to download the patched version and review any configuration changes required after upgrading. As a temporary mitigation prior to patching, administrators should restrict access to theme configuration pages to trusted administrators only via access control lists, disable the module if not actively in use, and monitor access logs for suspicious cross-site requests targeting theme-related endpoints. Clear all browser caches and sessions after patching to ensure CSRF tokens are regenerated.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15467
GHSA-rf5j-2h6w-f75m