Home

Description

Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.

PUBLISHED Reserved 2026-06-24 | Published 2026-07-10 | Updated 2026-07-13 | Assigner drupal

Problem types

CWE-863 Incorrect Authorization

Product status

0.0.0 (semver) before 1.1.4
affected

1.2.0 (semver) before 1.2.5
affected

1.3.0 (semver) before 1.3.1
affected

Credits

Andrew Belcher (andrewbelcher) finder

Rob Edwards (rob_e) finder

Andrew Belcher (andrewbelcher) remediation developer

Marcus Johansson (marcus_johansson) remediation developer

Rob Edwards (rob_e) remediation developer

Bram Driesen (bramdriesen) coordinator

Greg Knaddison (greggles) coordinator

Drew Webber (mcdruid) coordinator

Juraj Nemec (poker10) coordinator

References

www.drupal.org/sa-contrib-2026-057

cve.org (CVE-2026-13237)

nvd.nist.gov (CVE-2026-13237)

Download JSON