• Advisory ID: DRUPAL-SA-CONTRIB-2012-116
  • Project: Subuser (third-party module)
  • Version: 6.x
  • Date: 2012-July-25
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross Site Request Forgery


The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created.

A parent user is allowed to assume the role of a subuser they created (switch users) without having the "switch subuser" permission. However, users are prevented from switching to subusers that were not created by them. Additionally users can be switched to a subuser without intending to do so via a Cross Site Request Forgery attack (CSRF).

CVE: Requested

Versions affected

  • subuser 6.x-1.x versions prior to 6.x-1.8.

Drupal core is not affected. If you do not use the contributed Subuser module, there is nothing you need to do.


Install the latest version:

Also see the Subuser project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.