Skip to main content

Drupal FlowDrop EUVDEUVD-2026-43071

| CVE-2026-58589 MEDIUM
Missing Authorization (CWE-862)
2026-07-10 drupal GHSA-wfpx-3cw4-cw3g
5.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-accessible missing authorization flaw requiring a low-privilege authenticated session; C:L/I:L reflects partial access to restricted module data and actions with no availability or scope impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:20 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
5.4 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.

AnalysisAI

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Drupal account
Delivery
Identify FlowDrop module routes from source or documentation
Exploit
Craft direct HTTP request to restricted endpoint
Execution
Module skips authorization check
Impact
Access or modify restricted FlowDrop resource

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least a low-privilege Drupal user account on a site running FlowDrop version prior to 1.6.0 (PR:L from CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) reflects a network-reachable, low-complexity flaw requiring only a low-privilege authenticated session (PR:L), with limited confidentiality and integrity impact (C:L/I:L) and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Drupal account (e.g., a registered community member or trial user) constructs a direct HTTP GET or POST request to a FlowDrop-managed URL that is intended to be restricted to administrators or elevated roles. Because the module does not perform the expected authorization check, the Drupal framework returns the resource or executes the action without rejecting the request, granting access to content or functionality beyond the attacker's assigned permissions. …
Remediation Update the FlowDrop Drupal module to version 1.6.0 or later, as documented in the Drupal Security Advisory at https://www.drupal.org/sa-contrib-2026-067. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy