Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
This has been discussed with the security team and was agreed to be made public
The comment module has an access bypass vulnerability.
Steps to reproduce
1. Enabling the comment and jsonapi modules
2. Enabling "Accept all JSON:API create, read, update, and delete operations." for jsonapi module
3. Configure node type to receive comments
4. Create a node with comments status Closed
5. As a user with "Post comments" permission create comment through jsonapi
As a result, when comments status is Closed users should not be able to post comments, but jsonap module ignores this per-node configuration field. A similar issue with comments status is Hidden.
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
| Comment | File | Size | Author |
|---|---|---|---|
| #11 | 3371464-172666-pass.patch | 8.32 KB | larowlan |
| #11 | 3371464-172666-fail.patch | 3.74 KB | larowlan |
Comments
Comment #10
larowlanCrediting those involved in the private issue
Comment #11
larowlanComment #13
smustgrave commentedFollowing the steps from the issue summary can confirm the #11 patch solves it.
The fail patch also shows the test coverage is good.
LGTM
Comment #18
catchCommitted/pushed to 11.x and cherry-picked to 10.1.x, thanks!