CRITICALCVE-2023-5256CVSS 9.5

CVE-2023-5256: Drupal Core JSON:API Sensitive Data Exposure

Platform

drupal

Component

drupal

Fixed in

10.1.5

10.0.12

9.5.12

9.5.11

AI Confidence: highNVDEPSS 1.3%Reviewed: Mar 2026

View on NVD

Save

CVE-2023-5256 describes a sensitive data exposure vulnerability within the JSON:API module of Drupal Core. Under specific configurations, error backtraces containing sensitive information can be cached and exposed to anonymous users, potentially leading to privilege escalation. This issue affects Drupal Core versions up to and including 9.5.9. The vulnerability is resolved in Drupal version 9.5.11.

Impact and Attack Scenarios

CVE-2023-5256 in Drupal affects the JSON:API module, allowing error backtraces to be output in certain scenarios. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. The impact is significant, with a CVSS score of 9.5, indicating a critical risk. It's crucial to understand that this vulnerability does not affect Drupal’s core REST modules or contributed GraphQL modules. Exposure of sensitive information in a production environment could compromise the application's security and user data.

Exploitation Context

Exploitation of this vulnerability requires the JSON:API module to be enabled and specific configurations that allow error backtraces to be cached. An attacker could trigger an error within the JSON:API module, generating an error backtrace containing sensitive information. If this backtrace is cached and served to anonymous users, the attacker could gain access to confidential information, such as file paths, database names, or even source code. The likelihood of exploitation depends on the site's specific configuration and the presence of errors within the JSON:API module.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

NextGuard83% still vulnerable

EPSS

1.29% (80% percentile)

Affected Software

Componentdrupal

Vendorosv

Affected rangeFixed in

10.1 – 10.1.410.1.5

10.0 – 10.0.1110.0.12

9.5 – 9.5.119.5.12

8.7.09.5.11

10.0.09.5.11

10.1.09.5.11

Weakness Classification (CWE)

CWE-200

Timeline

Reserved2023-09-28
Published2023-09-28
Modified2025-12-10
EPSS updated2026-04-02

Patched -7 days after disclosure

Mitigation and Workarounds

The most direct solution to mitigate this vulnerability is to uninstall the JSON:API module. If the module is essential for site functionality, updating to version 9.5.11 or higher, which includes the fix, is recommended. A full site backup should be performed before any module updates or uninstalls. Additionally, review site configurations to ensure no settings increase the risk of sensitive information exposure. Timely updates and good security practices are fundamental to protecting your Drupal site.

How to fix

Desinstale el módulo JSON:API para mitigar la vulnerabilidad. Alternativamente, actualice Drupal Core a la última versión disponible que contenga la corrección para este problema. Consulte el anuncio de seguridad de Drupal para obtener más detalles y parches.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-5256 — Privilege Escalation in Drupal Core?

No, it only affects sites with the JSON:API module enabled.

Am I affected by CVE-2023-5256 in Drupal Core?

Update the module to version 9.5.11 or higher.

How do I fix CVE-2023-5256 in Drupal Core?

If you have the JSON:API module enabled, your site is likely vulnerable. Perform penetration testing or consult with a Drupal security expert.

Is CVE-2023-5256 being actively exploited?

Vulnerability scanners can detect this vulnerability, but manual testing is important to confirm its presence.

Where can I find the official Drupal Core advisory for CVE-2023-5256?

File paths, database names, source code, and other confidential information found in error backtraces.