Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

Project:

Date:

2026-February-25

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<2.0.4

CVE IDs:

CVE-2026-3210

Description:

This module enables you to add icons to CKEditor.

The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.

Solution:

Install the latest version and review permissions:

If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4.
Assign the newly created "use material icons" permission to users who should have access to the widgets.

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.