Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

Project:

Theme Negotiation by Rules

Date:

2026-February-25

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross-site request forgery

Affected versions:

<1.2.1

CVE IDs:

CVE-2026-3211

Description:

This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

Solution:

Install the latest version:

If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1.

Reported By:

Juraj Nemec (poker10) of the Drupal Security Team

Fixed By:

Zoltan Attila Horvath (huzooka)
Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Contribution record

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community