Skip to main content

Flowdrop

2 CVEs product

Monthly

CVE-2026-58590 PHP MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-58589 PHP MEDIUM PATCH This Month

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.

Authentication Bypass Flowdrop
NVD
CVSS 3.1
5.4
EPSS
0.2%
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing Authorization (CWE-862) in the Drupal FlowDrop contributed module allows authenticated low-privilege users to perform Forceful Browsing - directly accessing protected URLs without proper permission checks being enforced. All FlowDrop releases from 0.0.0 up to 1.6.0 are affected; a successful attacker can read or modify content and workflow data beyond their authorized scope. No public exploit has been identified and EPSS sits at 0.18% (8th percentile), indicating negligible observed exploitation probability at time of analysis; the vulnerability is not listed in CISA KEV.

Authentication Bypass Flowdrop
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Missing authorization in the FlowDrop Drupal contributed module (versions prior to 1.6.0) enables authenticated low-privilege users to perform forceful browsing, accessing URLs and resources that should be restricted to higher-privilege roles. The vulnerability stems from CWE-862, where authorization checks are absent or bypassed on protected endpoints within the module. No public exploit code or CISA KEV listing exists at time of analysis; the EPSS score of 0.18% (8th percentile) reflects low observed exploitation probability, but the low attack complexity and network accessibility make it a meaningful risk on multi-tenant or public Drupal sites with the module installed.

Authentication Bypass Flowdrop
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy