Ai Agents
Monthly
Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.
Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.
Incorrect Authorization (CWE-863) in the Drupal AI Agents contributed module enables Forceful Browsing, allowing network-reachable attackers to access restricted AI agent resources without proper permission checks. Three distinct release branches are affected: 0.0.0-1.1.4, 1.2.0-1.2.5, and 1.3.0-1.3.1. CISA SSVC classifies exploitation as none with partial technical impact, EPSS sits at the 4th percentile, and no public exploit has been identified at time of analysis - signals that collectively indicate limited immediate real-world risk despite the network-accessible attack vector.
Missing authorization controls in the Drupal AI Agents contrib module expose protected resources to forceful browsing by authenticated low-privilege users. Affected installations span three version branches - 0.0.0 through 1.1.3, 1.2.0 through 1.2.4, and 1.3.0 - across the Drupal ecosystem. No public exploit has been identified and CISA has not added this to KEV; EPSS at 0.14% (4th percentile) and SSVC's 'none' exploitation status confirm minimal real-world threat at time of analysis.