Plattform
drupal
Komponente
drupal
Behoben in
1.7.0
2.0.2
8.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Automated Logout, allowing attackers to potentially perform unauthorized actions. This flaw impacts versions ranging from 2.0.0 up to 8.x-1.7. The vulnerability has been resolved in version 2.0.2, and users are strongly advised to upgrade.
This CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they did not intend. Successful exploitation could lead to unauthorized modifications of Automated Logout settings, potentially impacting user session management and security policies within the Drupal site. The attacker needs to craft a malicious request that the user unknowingly submits, leveraging their authenticated session. While the direct impact may seem limited to the Automated Logout module, a compromised configuration could have broader implications for site security.
CVE-2026-4393 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's impact is considered medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the availability of the CVE details increases the risk of potential attacks.
Websites using Drupal with the Automated Logout module installed, particularly those running vulnerable versions (2.0.0–8.x-1.7). Sites with less stringent access controls to the Automated Logout configuration are at higher risk.
• drupal / module: Check Drupal module versions for Automated Logout.
drush pm-info --title --core --modules --themes --profiles | grep Automated Logout• drupal / configuration: Review Automated Logout configuration settings for unexpected changes. • generic web: Monitor access logs for suspicious requests targeting Automated Logout endpoints.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CVSS-Vektor
The primary mitigation is to upgrade Drupal Automated Logout to version 2.0.2 or later. If immediate upgrading is not feasible, consider implementing strict input validation and output encoding within the Automated Logout module to prevent malicious requests. Additionally, implement CSRF protection mechanisms at the Drupal application level, such as using CSRF tokens for all sensitive operations. Review and restrict access to Automated Logout configuration pages to authorized personnel only.
Actualice el módulo Automated Logout a la versión 1.7.0 o superior, o a la versión 2.0.2 o superior, según corresponda a su rama de versión. Esto corregirá la vulnerabilidad de Cross-Site Request Forgery (CSRF).
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4393 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Automated Logout module, allowing attackers to perform unauthorized actions if users unknowingly submit malicious requests.
You are affected if you are using Drupal Automated Logout versions 2.0.0–8.x-1.7. Upgrade to version 2.0.2 to mitigate the risk.
Upgrade Drupal Automated Logout to version 2.0.2 or later. Implement CSRF protection mechanisms at the Drupal application level as an interim measure.
Active exploitation is not currently confirmed, but the vulnerability is publicly known, increasing the potential for attacks.
Refer to the official Drupal security advisory for CVE-2026-4393 on the Drupal website for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.