Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

Project:

Automated Logout

Date:

2026-March-18

Security risk:

Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All

Vulnerability:

Cross-site request forgery

Affected versions:

<1.7.0 || >=2.0.0 <2.0.2

CVE IDs:

CVE-2026-4393

Description:

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

Solution:

Install the latest version:

If you use Automated Logout 8.x-1.x version 8.x-1.6 or lower, upgrade to autologout 8.x-1.7.
If you use Automated Logout 2.x version 2.0.1 or lower, upgrade to autologout 2.0.2.

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community