Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-reachable with no auth required, but high complexity due to path-knowledge prerequisite; limited confidentiality and integrity impact, no availability effect.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.
AnalysisAI
Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector PR:N indicates no authentication is required to attempt exploitation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Across all available signals, real-world risk is low-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who identifies a Drupal site running the AI Agents module enumerates or guesses resource URLs associated with AI agent endpoints and sends direct HTTP GET or POST requests to those paths without supplying authorization credentials or tokens. Due to the authorization logic flaw, the module processes the request and returns or modifies restricted AI agent data. … |
| Remediation | A patch is available per the vendor advisory at https://www.drupal.org/sa-contrib-2026-057 - administrators should consult that advisory for the exact patched version in their active branch (1.1.x, 1.2.x, or 1.3.x) and upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43061
GHSA-7c7x-54hv-3m8c