Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-accessible missing authorization flaw requiring a low-privilege authenticated session; C:L/I:L reflects partial access to restricted module data and actions with no availability or scope impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
AnalysisAI
Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with at least a low-privilege Drupal user account on a site running FlowDrop version prior to 1.6.0 (PR:L from CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) reflects a network-reachable, low-complexity flaw requiring only a low-privilege authenticated session (PR:L), with limited confidentiality and integrity impact (C:L/I:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege Drupal account (e.g., a registered community member or trial user) constructs a direct HTTP GET or POST request to a FlowDrop-managed URL that is intended to be restricted to administrators or elevated roles. Because the module does not perform the expected authorization check, the Drupal framework returns the resource or executes the action without rejecting the request, granting access to content or functionality beyond the attacker's assigned permissions. … |
| Remediation | Update the FlowDrop Drupal module to version 1.6.0 or later, as documented in the Drupal Security Advisory at https://www.drupal.org/sa-contrib-2026-067. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43071
GHSA-wfpx-3cw4-cw3g