Project: 
Date: 
2022-July-20
Vulnerability: 
Access Bypass
Affected versions: 
>= 8.0.0 <9.3.19 || >= 9.4.0 <9.4.3
CVE IDs: 
CVE-2022-25278
Description: 

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.

No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Reported By: 
Fixed By: