Show advisories for only Drupal Core, only contributed projects, or only PSAs

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Date: 
2026-April-01
Security risk: 
Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-5343

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

Date: 
2026-March-18
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-4393

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

Date: 
2026-March-11
Security risk: 
Critical 15 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-4933

This module creates permissions per node content type to control access to unpublished nodes per content type.

The module does not consistently control access for unpublished translated nodes.

AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

Date: 
2026-March-11
Security risk: 
Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3573

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

Date: 
2026-March-04
Security risk: 
Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3532

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Date: 
2026-March-04
Security risk: 
Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All
CVE IDs: 
CVE-2026-3531

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.

OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

Date: 
2026-March-04
Security risk: 
Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3530

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.

Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

Date: 
2026-March-04
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3529

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.

This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.

Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

Date: 
2026-March-04
Security risk: 
Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
CVE IDs: 
CVE-2026-3528

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.

The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).

AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

Date: 
2026-March-04
Security risk: 
Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2026-3527

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons.

The module doesn't sufficiently check access on the dashboard configuration route. Unauthorized users could access the entity dashboard configuration page and either enable or disable dashboards. The affected administration page does not permit editing the configurations of the dashboards themselves.

Pages

Subscribe with RSS Subscribe to Security advisories