Full Report
Drupal security advisory (AV26-225)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Drupal Contributed Modules
## CVE Details
- **CVE ID:** Pending/Not explicitly listed in the advisory (Referenced by Drupal Security Advisory IDs)
- **CVSS Score:** Critical (for Unpublished Node Permissions) / Moderately Critical (for AI Module)
- **CWE:** CWE-284 (Improper Access Control) / CWE-200 (Information Exposure)
## Affected Systems
- **Products:**
1. Unpublished Node Permissions (Contributed Module)
2. AI - Artificial Intelligence (Contributed Module)
- **Versions:**
1. Unpublished Node Permissions: Versions prior to 1.7.0
2. AI: Versions prior to 1.1.11 and 1.2.x versions prior to 1.2.12
- **Configurations:** Systems running these specific contributed modules with default or specific permission settings.
## Vulnerability Description
This advisory covers two distinct flaws in Drupal contributed modules:
1. **Unpublished Node Permissions (Access Bypass):** A critical flaw where the module fails to properly restrict access to unpublished content, potentially allowing unauthorized users to view sensitive data that should be hidden from public view.
2. **AI Module (Information Disclosure):** A moderately critical flaw where the module may expose information unintentionally, potentially leaking configuration details or data processed by the AI integration.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of advisory; PoC not publicly released.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Unauthorized access to unpublished nodes and AI-related data)
- **Integrity:** Low
- **Availability:** Low
## Remediation
### Patches
The Drupal security team recommends upgrading to the following versions immediately:
- **Unpublished Node Permissions:** Update to version **1.7.0** or higher.
- **AI (Artificial Intelligence):** Update to version **1.1.11** or **1.2.12** depending on the major version branch currently in use.
### Workarounds
- **Manual Permission Review:** For Unpublished Node Permissions, administrators should manually audit user roles and "view unpublished content" permissions.
- **Module Disablement:** If patching is not immediately possible, disable the affected modules to mitigate risk.
## Detection
- **Indicators of Compromise:** Unusual access logs showing non-privileged users accessing URLs associated with unpublished nodes (`/node/[nid]`).
- **Detection methods and tools:** Use Drupal’s internal "Recent log messages" (Watchdog) to track unauthorized access attempts or 403/404 errors that suddenly changed behavior.
## References
- **Vendor advisories:** hxxps[://]www[.]drupal[.]org/security
- **SA-CONTRIB-2026-029:** hxxps[://]www[.]drupal[.]org/sa-contrib-2026-029
- **SA-CONTRIB-2026-028:** hxxps[://]www[.]drupal[.]org/sa-contrib-2026-028
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-225