Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.
AnalysisAI
Drupal Automated Logout module contains a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects Automated Logout versions prior to 1.7.0 and versions 2.0.0 through 2.0.1, with patched versions available at 1.7.0 and 2.0.2 respectively. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The vulnerability exists in the Drupal Automated Logout module (CPE: cpe:2.3:a:drupal:automated_logout), which is a contributed Drupal extension that manages user session timeouts and automatic logout functionality. The root cause is classified as CWE-352 (Cross-Site Request Forgery), indicating that the module fails to properly validate the origin and authenticity of requests before performing sensitive operations. CSRF vulnerabilities typically arise when applications do not implement adequate token-based defenses (such as CSRF tokens) or proper SameSite cookie attributes. In the context of logout functionality, an attacker can exploit this by tricking a logged-in user into visiting a malicious page that submits a request to trigger logout or modify logout settings, potentially disrupting user sessions or altering security-critical configurations.
RemediationAI
Upgrade Drupal Automated Logout to version 1.7.0 or later for the 1.x branch, or to version 2.0.2 or later for the 2.x branch. Apply the patch immediately via Drupal's module update interface or by downloading the patched release from https://www.drupal.org/sa-contrib-2026-030. Verify the update by checking the module version in the Drupal admin interface under Extend. As a temporary workaround pending patching, restrict access to the Automated Logout module's configuration pages to trusted administrators only and monitor user session logs for unusual logout patterns. Enable CSRF token validation site-wide via Drupal core settings to provide additional defense-in-depth protection.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16393