Skip to main content

Commerce Realex / Global Payments EUVDEUVD-2026-43062

| CVE-2026-13238 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-10 drupal GHSA-2q62-xm7g-h9gh
4.8
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

Network-accessible web module with no auth needed, but AC:H reflects required endpoint knowledge; C:L/I:L reflects bounded payment-data exposure with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Generated
Jul 13, 2026 - 21:18 vuln.today
Severity Changed
Jul 13, 2026 - 19:22 NVD
CRITICAL MEDIUM
CVSS changed
Jul 13, 2026 - 19:22 NVD
9.1 (CRITICAL) 4.8 (MEDIUM)
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.1 (CRITICAL)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:44 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.

AnalysisAI

Incorrect Authorization (CWE-863) in the Drupal Commerce Realex / Global Payments module exposes protected payment and order resources to forceful browsing, allowing unauthenticated remote attackers to access endpoints that should require authorization. All module versions from 0.0.0 through 3.0.2 (exclusive) are affected on Drupal Commerce deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Drupal site with Commerce Realex module
Delivery
Enumerate or infer protected payment endpoint URLs
Exploit
Send unauthenticated HTTP request to restricted path
Execution
Bypass authorization check via CWE-863 flaw
Impact
Access order or transaction data

Vulnerability AssessmentAI

Exploitation The target site must be running the Drupal Commerce Realex / Global Payments module in versions 0.0.0 through 3.0.2 (exclusive). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Multiple signals converge on a moderate-to-low real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a Drupal e-commerce site identifies that it uses the Commerce Realex / Global Payments module, then enumerates or constructs the URL paths for protected payment confirmation or order-status endpoints. Without holding a user session or any credentials, the attacker directly browses to those paths, triggering the missing authorization check and gaining access to order details or potentially influencing transaction state. …
Remediation Upgrade the Commerce Realex / Global Payments module to version 3.0.2 or later, as confirmed available by the vendor advisory at https://www.drupal.org/sa-contrib-2026-058. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy