Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Network-accessible but PR:H and AC:H because exploitation requires a pre-existing high-privilege session and non-trivial knowledge of unguarded route paths; no availability impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence) versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3.
AnalysisAI
Forceful browsing exposure in Drupal's AI (Artificial Intelligence) contributed module permits high-privileged authenticated users to access protected resources without proper authorization checks, affecting versions 0.0.0-1.2.17, 1.3.0-1.3.8, and 1.4.0-1.4.3. The vulnerability stems from CWE-862 (Missing Authorization), where path-level access controls are not enforced on certain AI module endpoints, allowing an authenticated user with high privileges to traverse to unauthorized resources. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already hold a high-privileged authenticated session within the target Drupal installation (PR:H per CVSS vector), meaning an anonymous or low-privileged user cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals consistently place this vulnerability in the low-priority tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Drupal user holding a high-privileged role - such as an administrator or a role granted elevated AI module permissions - manually navigates directly to an AI module endpoint URL that lacks an authorization check, bypassing the intended access boundary and reading or modifying AI-related resources they were not explicitly granted access to. No exploit tooling or POC exists at time of analysis, meaning exploitation requires deliberate manual effort and prior knowledge of the target URL paths. |
| Remediation | The vendor has released patched versions addressing this vulnerability; site administrators should upgrade the Drupal AI module to version 1.2.17 (for sites on the 1.2.x branch), 1.3.8 (for the 1.3.x branch), or 1.4.3 (for the 1.4.x branch) per Drupal security advisory SA-contrib-2026-055 available at https://www.drupal.org/sa-contrib-2026-055. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ai Artificial Intelligence
View allDrupal AI module versions 0.0.0 before 1.1.11 and 1.2.0 before 1.2.12 contain an incorrect authorization vulnerability (
Cross-site scripting in the Drupal AI (Artificial Intelligence) contributed module exposes sites to session hijacking an
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43059
GHSA-4c7f-qhrm-6jc8