Skip to main content

Translate Drupal with GTranslate CVE-2026-8492

| EUVDEUVD-2026-30989 LOW
Modification of Assumed-Immutable Data (MAID) (CWE-471)
2026-05-19 drupal GHSA-p6f3-29pv-cj66
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:25 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
2.7 (LOW)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:29 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing.

This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.

AnalysisAI

Resource Location Spoofing in the Drupal 'Translate Drupal with GTranslate' module (versions 0.0.0 through before 3.0.5) allows a high-privileged authenticated attacker to modify data the module treats as immutable, enabling redirection of translation resource locations. Exploitation requires network access but demands administrator-level privileges, yielding only low integrity impact with no confidentiality or availability consequences. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating negligible exploitation interest at this time.

Technical ContextAI

The affected component is the Drupal contributed module 'Translate Drupal with GTranslate' (CPE: cpe:2.3:a:drupal:translate_drupal_with_gtranslate:*:*:*:*:*:*:*:*), which integrates the GTranslate cloud translation service into Drupal CMS sites. The root cause is CWE-471 (Modification of Assumed-Immutable Data, MAID): the module treats certain configuration or data values - likely translation service endpoint URLs or resource locators - as fixed and trustworthy at runtime, but fails to enforce immutability with adequate access controls. An authorized privileged user can alter these values, causing the module to reference attacker-controlled or spoofed resource locations. The CVSS integrity-only impact (I:L, C:N, A:N) and the advisory tag 'Resource Location Spoofing' together suggest this is a configuration-plane integrity issue rather than a code execution or data exfiltration path. Note: the intelligence tag labels this 'Information Disclosure', which conflicts with the description's 'Resource Location Spoofing' framing - the Drupal advisory at https://www.drupal.org/sa-contrib-2026-035 should be consulted to resolve this discrepancy.

RemediationAI

Upgrade the Translate Drupal with GTranslate module to version 3.0.5 or later, as confirmed by the vendor advisory at https://www.drupal.org/sa-contrib-2026-035 (patch available per vendor). If an immediate upgrade is not feasible, restrict administrative access to the module's configuration pages by auditing and reducing the number of accounts holding the relevant high-privilege Drupal roles, since PR:H means only privileged users can trigger this issue. Drupal's built-in permission system can be used to limit access to translation configuration. These compensating controls reduce insider-threat exposure but do not eliminate the underlying MAID flaw and should be treated as temporary measures only.

Share

CVE-2026-8492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy