Skip to main content

Ai Artificial Intelligence CVE-2026-3573

| EUVDEUVD-2026-16391 HIGH
Incorrect Authorization (CWE-863)
2026-03-26 drupal
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16391
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:10 nvd
HIGH 7.5

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.

AnalysisAI

Drupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (CWE-863) that enables resource injection attacks. The flaw allows attackers to bypass authorization controls and inject malicious resources, potentially gaining unauthorized access to AI-driven functionality or data within affected Drupal installations. No public exploit code or active exploitation has been confirmed at the time of this analysis.

Technical ContextAI

The vulnerability exists in the Drupal AI (Artificial Intelligence) module (CPE: cpe:2.3:a:drupal:ai_(artificial_intelligence):*:*:*:*:*:*:*:*), which provides artificial intelligence capabilities integrated into Drupal content management systems. CWE-863 (Incorrect Authorization) represents a failure in access control logic, where the application does not properly verify that a user has the necessary permissions before allowing access to protected resources or operations. In this context, the resource injection capability suggests that an attacker can manipulate input parameters or requests to inject unauthorized resource references, bypassing the intended authorization checks within the AI module's permission framework. This is particularly critical in multi-tenant or role-based access scenarios where authorization decisions should prevent privilege escalation.

RemediationAI

Upgrade Drupal AI module to version 1.1.11 or later (for the 0.x/1.0.x branch) or to version 1.2.12 or later (for the 1.2.x branch). These patched versions resolve the authorization bypass and resource injection vulnerability. Consult the official Drupal security advisory (https://www.drupal.org/sa-contrib-2026-028) for precise upgrade instructions and compatibility notes. Until patching can be deployed, enforce strict authorization policy reviews on the AI module configuration, disable AI module functionality if not immediately required, and restrict administrative access to AI feature settings to trusted administrators only. Organizations should verify that their Drupal core version and contributed module dependencies are compatible with the patched AI versions before upgrading.

Share

CVE-2026-3573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy