Drupal Contrib Security

Project: Automated LogoutDate: 2026-March-18Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-site request forgeryAffected versions: <1.7.0 || >=2.0.0 <2.0.2CVE IDs: CVE-2026-4393Description: 

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use Automated Logout 8.x-1.x version 8.x-1.6 or lower, upgrade to autologout 8.x-1.7.
• If you use Automated Logout 2.x version 2.0.1 or lower, upgrade to autologout 2.0.2.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ajit Shinde (ajits)
• Jakob P (japerry)
• Gareth Alexander (the_g_bomb)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Unpublished Node PermissionsDate: 2026-March-11Security risk: Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.7.0CVE IDs: CVE-2026-4933Description: 

This module creates permissions per node content type to control access to unpublished nodes per content type.

The module does not consistently control access for unpublished translated nodes.

Solution: 

Install the latest version:

• If you use the Unpublished Node Permissions module, upgrade to Unpublished Node Permissions 8.x-1.7.

Reported By: 

• Andre Groendijk (groendijk)

Fixed By: 

• Fabien Gutknecht (fabsgugu)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2026-March-11Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureAffected versions: <1.1.11 || >=1.2.0 <1.2.12CVE IDs: CVE-2026-3573Description: 

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.

Solution: 

Install the latest version:

• If you use the AI module 1.1 or earlier, upgrade to AI 1.1.11.
• If you use the AI module 1.2, upgrade to AI 1.2.12.

Reported By: 

• Marcus Johansson (marcus_johansson)

Fixed By: 

• Artem Dmitriiev (a.dmitriiev)
• Abhisek Mazumdar (abhisekmazumdar)
• Dave Long (longwave) of the Drupal Security Team
• Marcus Johansson (marcus_johansson)
• Valery Lourie (valthebald)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3532Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.

Reported By: 

• Eric Smith (ericgsmith)

Fixed By: 

• Philip Frilling (pfrilling)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3531Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Reported By: 

• Kimberley Massey (kimberleycgm)

Fixed By: 

• Kimberley Massey (kimberleycgm)
• Philip Frilling (pfrilling)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Server-side request forgery, Information disclosureAffected versions: <1.5.0CVE IDs: CVE-2026-3530Description: 

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.

This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide compromised data at the source profile.
- a site must have specific field mappings configured

Solution: 

Install the latest version:

• If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect 8.x-1.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Drew Webber (mcdruid) of the Drupal Security Team
• Philip Frilling (pfrilling)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Google Analytics GA4Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.1.14CVE IDs: CVE-2026-3529Description: 

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.

This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.

An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.

Note: this advisory initially suggested it was fixed in the 1.1.13 release, but the 1.1.13 releaes was missing the fix. Users of this module should switch to the 1.1.14 release.

Solution: 

Install the latest version:

• If you use the Google Analytics GA4 module, upgrade to Google Analytics GA4 1.1.14

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Sujan Shrestha (sujan shrestha)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Calculation FieldsDate: 2026-March-04Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.0.4CVE IDs: CVE-2026-3528Description: 

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.

The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).

Solution: 

Install the latest version:

• If you use the Calculation fields module, upgrade to Calculation fields 1.0.4

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Joao Paulo Constantino (joaopauloc.dev)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: AJAX DashboardDate: 2026-March-04Security risk: Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <3.1.0CVE IDs: CVE-2026-3527Description: 

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons.

The module doesn't sufficiently check access on the dashboard configuration route. Unauthorized users could access the entity dashboard configuration page and either enable or disable dashboards. The affected administration page does not permit editing the configurations of the dashboards themselves.

The vulnerability is mitigated by the fact that the AJAX Dashboard Entity Dashboard submodule must be enabled.

Solution: 

Install the latest version of the AJAX Dashboard module, which includes the update to AJAX Dashboard: Entity Dashboards:

• If you use the AJAX Dashboard module, upgrade to AJAX Dashboard 3.1.0

Reported By: 

• Juraj Nemec (poker10) of the Drupal Security Team

Fixed By: 

• Michael Nolan (laboratory.mike)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3526Description: 

This module moves files to and from private storage depending on the access of its owning entities.

The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances.

This vulnerability is mitigated by the fact that saving an entity a second time resolves the issue.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: File Access Fix (deprecated)Date: 2026-March-04Security risk: Moderately critical 11 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.2.0CVE IDs: CVE-2026-3525Description: 

This module moves files to and from private storage depending on the access of its owning entities.
The module does not sufficiently incorporate the results of hook_file_download when a custom or contrib module implements that hook leading to access bypass.

Solution: 

Install the latest version:

• If you use the File access fix module, upgrade to File access fix 8.x-1.2

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Merlin Axel Rutz (geek-merlin)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team