Skip to main content

Drupal Date iCal CVE-2026-8495

| EUVDEUVD-2026-30992 CRITICAL
Missing Authorization (CWE-862)
2026-05-19 drupal GHSA-7fjf-jmgw-92f2
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:23 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
9.8 (CRITICAL)
Patch available
May 19, 2026 - 23:02 EUVD
CVE Published
May 19, 2026 - 22:29 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.

This issue affects Date iCal: from 0.0.0 before 4.0.15.

AnalysisAI

Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.

Technical ContextAI

Date iCal is a Drupal contributed module that exports node, calendar, and view data into the iCalendar (.ics) format consumed by Outlook, Google Calendar, and Apple Calendar. The root cause is CWE-862 (Missing Authorization): a code path that serves iCal feeds or related endpoints fails to verify that the requesting user has permission to view the underlying content, enabling 'forceful browsing' - directly requesting a URL to retrieve data the access-control layer should have blocked. The CPE cpe:2.3:a:drupal:date_ical confirms only the Drupal contrib module is in scope; Drupal core itself is not affected.

RemediationAI

Upgrade the Date iCal module to version 4.0.15 or later, which is the vendor-released patch referenced in Drupal advisory SA-CONTRIB-2026-037 (https://www.drupal.org/sa-contrib-2026-037). If immediate upgrade is not feasible, uninstall the Date iCal module if iCal export is not in active use, since it is a contrib add-on and removal will not impact Drupal core; alternatively, restrict access at the web tier by blocking or authenticating requests to the module's feed endpoints (typically routes containing '/ical' or paths exposed by the module's view displays), accepting the trade-off that legitimate calendar subscribers will lose feed access until the patch is applied. Also audit access logs for unusual requests to iCal feed URLs to identify possible prior exposure.

Share

CVE-2026-8495 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy