Plataforma
drupal
Componente
drupal
Corregido en
3.1.0
3.1.1
CVE-2026-3527 describes a Missing Authentication vulnerability affecting the Drupal AJAX Dashboard module. This flaw allows attackers to bypass access control security levels, potentially gaining unauthorized access to sensitive data or functionality. The vulnerability impacts versions of the module prior to 3.1.0. A fix is available in version 3.1.0.
The Missing Authentication vulnerability in Drupal AJAX Dashboard allows an attacker to exploit incorrectly configured access control security levels. This means an attacker who can craft a malicious request can potentially access administrative functions or data they should not have access to. The blast radius depends on the specific configuration of the Drupal site and the permissions granted within the AJAX Dashboard module. Successful exploitation could lead to unauthorized modifications of site content, user account manipulation, or even complete site takeover, depending on the attacker's ability to leverage the bypassed access controls.
CVE-2026-3527 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Drupal sites utilizing the AJAX Dashboard module, especially those with custom access control configurations or legacy deployments, are at risk. Shared hosting environments where multiple Drupal sites share the same server resources may also be affected if one site is vulnerable.
• drupal: Check the version of the AJAX Dashboard module using drush pm-info ajax_dashboard. Look for versions prior to 3.1.0.
• drupal: Review AJAX Dashboard access control configurations in the Drupal administration interface. Ensure that only authorized users have access to sensitive functions.
• generic web: Monitor access logs for unusual requests targeting AJAX Dashboard endpoints, particularly those originating from unauthorized users.
disclosure
Estado del Exploit
EPSS
0.04% (13% percentil)
Vector CVSS
The primary mitigation for CVE-2026-3527 is to upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. If upgrading is not immediately feasible, review and strictly enforce access control configurations within the AJAX Dashboard module to minimize potential exposure. Ensure that only authorized users have access to sensitive functions. Consider implementing Web Application Firewall (WAF) rules to block suspicious requests targeting the AJAX Dashboard endpoints. After upgrade, confirm the fix by attempting to access restricted AJAX Dashboard functions with a non-administrative user account.
Actualice el módulo AJAX Dashboard a la versión 3.1.0 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación que permite la explotación incorrecta de los niveles de seguridad de control de acceso.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-3527 is a missing authentication vulnerability in Drupal AJAX Dashboard versions prior to 3.1.0, allowing attackers to bypass access controls.
You are affected if your Drupal site uses the AJAX Dashboard module and is running a version earlier than 3.1.0.
Upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. Review and strengthen access control configurations in the meantime.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Drupal security advisory for CVE-2026-3527 on the Drupal website.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo composer.lock y te decimos al instante si estás afectado.