Skip to main content

Automated Logout CVE-2026-4393

| EUVDEUVD-2026-16393 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-26 drupal
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16393
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:10 nvd
MEDIUM 4.3

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.

AnalysisAI

Drupal Automated Logout module contains a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects Automated Logout versions prior to 1.7.0 and versions 2.0.0 through 2.0.1, with patched versions available at 1.7.0 and 2.0.2 respectively. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability exists in the Drupal Automated Logout module (CPE: cpe:2.3:a:drupal:automated_logout), which is a contributed Drupal extension that manages user session timeouts and automatic logout functionality. The root cause is classified as CWE-352 (Cross-Site Request Forgery), indicating that the module fails to properly validate the origin and authenticity of requests before performing sensitive operations. CSRF vulnerabilities typically arise when applications do not implement adequate token-based defenses (such as CSRF tokens) or proper SameSite cookie attributes. In the context of logout functionality, an attacker can exploit this by tricking a logged-in user into visiting a malicious page that submits a request to trigger logout or modify logout settings, potentially disrupting user sessions or altering security-critical configurations.

RemediationAI

Upgrade Drupal Automated Logout to version 1.7.0 or later for the 1.x branch, or to version 2.0.2 or later for the 2.x branch. Apply the patch immediately via Drupal's module update interface or by downloading the patched release from https://www.drupal.org/sa-contrib-2026-030. Verify the update by checking the module version in the Drupal admin interface under Extend. As a temporary workaround pending patching, restrict access to the Automated Logout module's configuration pages to trusted administrators only and monitor user session logs for unusual logout patterns. Enable CSRF token validation site-wide via Drupal core settings to provide additional defense-in-depth protection.

Share

CVE-2026-4393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy