Skip to main content

Theme Negotiation By Rules CVE-2026-3211

| EUVDEUVD-2026-15467 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-25 drupal GHSA-rf5j-2h6w-f75m
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15467
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:21 nvd
MEDIUM 4.3

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules allows Cross Site Request Forgery.This issue affects Theme Negotiation by Rules: from 0.0.0 before 1.2.1.

AnalysisAI

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Theme Negotiation by Rules module, affecting all versions from 0.0.0 before 1.2.1. An attacker can exploit this flaw to perform unauthorized actions on behalf of authenticated users by crafting malicious requests that bypass CSRF protections in the theme negotiation functionality. The vulnerability has been officially documented by the Drupal security team via SA-contrib-2026-012, and users of this contrib module should prioritize patching to version 1.2.1 or later.

Technical ContextAI

The vulnerability resides in the Drupal Theme Negotiation by Rules module (CPE: cpe:2.3:a:drupal:theme_negotiation_by_rules:*:*:*:*:*:*:*:*), which is responsible for dynamically selecting and applying themes based on configurable rules within the Drupal content management system. The root cause is classified under CWE-352 (Cross-Site Request Forgery), indicating a failure to implement proper CSRF token validation or Same-Site cookie protections on administrative or user-facing operations that modify theme settings. This allows attackers to forge requests that bypass Drupal's standard CSRF defenses when the module fails to validate security tokens on sensitive endpoints.

RemediationAI

Upgrade the Theme Negotiation by Rules module to version 1.2.1 or later immediately using Drupal's module update interface or via Composer. Visit https://www.drupal.org/sa-contrib-2026-012 to download the patched version and review any configuration changes required after upgrading. As a temporary mitigation prior to patching, administrators should restrict access to theme configuration pages to trusted administrators only via access control lists, disable the module if not actively in use, and monitor access logs for suspicious cross-site requests targeting theme-related endpoints. Clear all browser caches and sessions after patching to ensure CSRF tokens are regenerated.

Share

CVE-2026-3211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy