Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
AnalysisAI
Drupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (CWE-863) that enables resource injection attacks. The flaw allows attackers to bypass authorization controls and inject malicious resources, potentially gaining unauthorized access to AI-driven functionality or data within affected Drupal installations. No public exploit code or active exploitation has been confirmed at the time of this analysis.
Technical ContextAI
The vulnerability exists in the Drupal AI (Artificial Intelligence) module (CPE: cpe:2.3:a:drupal:ai_(artificial_intelligence):*:*:*:*:*:*:*:*), which provides artificial intelligence capabilities integrated into Drupal content management systems. CWE-863 (Incorrect Authorization) represents a failure in access control logic, where the application does not properly verify that a user has the necessary permissions before allowing access to protected resources or operations. In this context, the resource injection capability suggests that an attacker can manipulate input parameters or requests to inject unauthorized resource references, bypassing the intended authorization checks within the AI module's permission framework. This is particularly critical in multi-tenant or role-based access scenarios where authorization decisions should prevent privilege escalation.
RemediationAI
Upgrade Drupal AI module to version 1.1.11 or later (for the 0.x/1.0.x branch) or to version 1.2.12 or later (for the 1.2.x branch). These patched versions resolve the authorization bypass and resource injection vulnerability. Consult the official Drupal security advisory (https://www.drupal.org/sa-contrib-2026-028) for precise upgrade instructions and compatibility notes. Until patching can be deployed, enforce strict authorization policy reviews on the AI module configuration, disable AI module functionality if not immediately required, and restrict administrative access to AI feature settings to trusted administrators only. Organizations should verify that their Drupal core version and contributed module dependencies are compatible with the patched AI versions before upgrading.
More in Ai Artificial Intelligence
View allCross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking an
Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authentic
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16391