Platform
drupal
Component
drupal
Fixed in
1.7.0
2.0.2
8.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Automated Logout, allowing attackers to potentially perform unauthorized actions. This flaw impacts versions ranging from 2.0.0 up to 8.x-1.7. The vulnerability has been resolved in version 2.0.2, and users are strongly advised to upgrade.
This CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they did not intend. Successful exploitation could lead to unauthorized modifications of Automated Logout settings, potentially impacting user session management and security policies within the Drupal site. The attacker needs to craft a malicious request that the user unknowingly submits, leveraging their authenticated session. While the direct impact may seem limited to the Automated Logout module, a compromised configuration could have broader implications for site security.
CVE-2026-4393 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's impact is considered medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the availability of the CVE details increases the risk of potential attacks.
Exploit Status
EPSS
0.02% (4% percentile)
CVSS Vector
The primary mitigation is to upgrade Drupal Automated Logout to version 2.0.2 or later. If immediate upgrading is not feasible, consider implementing strict input validation and output encoding within the Automated Logout module to prevent malicious requests. Additionally, implement CSRF protection mechanisms at the Drupal application level, such as using CSRF tokens for all sensitive operations. Review and restrict access to Automated Logout configuration pages to authorized personnel only.
Update the Automated Logout module to version 1.7.0 or higher, or to version 2.0.2 or higher, as appropriate for your version branch. This will correct the Cross-Site Request Forgery (CSRF) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4393 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Automated Logout module, allowing attackers to perform unauthorized actions if users unknowingly submit malicious requests.
You are affected if you are using Drupal Automated Logout versions 2.0.0–8.x-1.7. Upgrade to version 2.0.2 to mitigate the risk.
Upgrade Drupal Automated Logout to version 2.0.2 or later. Implement CSRF protection mechanisms at the Drupal application level as an interim measure.
Active exploitation is not currently confirmed, but the vulnerability is publicly known, increasing the potential for attacks.
Refer to the official Drupal security advisory for CVE-2026-4393 on the Drupal website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.