プラットフォーム
drupal
コンポーネント
drupal
修正版
1.2.1
1.2.2
A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Theme Negotiation by Rules, impacting versions up to 1.2.1. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized modifications of the site's configuration or data. The vulnerability has been published on 2026-03-25, and a patch is available in version 1.2.1.
The CSRF vulnerability in Drupal Theme Negotiation by Rules allows an attacker to craft malicious requests that appear to originate from a legitimate user. If successful, an attacker could modify theme negotiation rules, potentially altering how the site renders content or redirects users. This could lead to defacement, redirection to malicious websites, or even the execution of arbitrary code if the theme negotiation rules are exploited in conjunction with other vulnerabilities. The blast radius extends to any user with access to the administrative interface, as their actions could be hijacked.
This vulnerability is currently not known to be actively exploited. It was publicly disclosed on 2026-03-25. No public proof-of-concept exploits are currently available. The vulnerability has not been added to the CISA KEV catalog.
Drupal sites utilizing the Theme Negotiation by Rules module, particularly those running versions prior to 1.2.1, are at risk. Sites with less stringent security practices or those that haven't implemented CSRF protection mechanisms are particularly vulnerable.
• drupal:
find /var/www/html -name 'theme_negotiation_by_rules.module' -print0 | xargs -0 grep -i 'DRUPAL_CORE_VERSION' • generic web:
curl -I https://your-drupal-site.com/ | grep -i 'content-type'disclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2026-3211 is to immediately upgrade Drupal Theme Negotiation by Rules to version 1.2.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data used in theme negotiation rules. Implementing a CSRF protection mechanism, such as a token system, can also help mitigate the risk. After upgrading, confirm the fix by attempting to submit a malicious request and verifying that it is blocked.
Theme Negotiation by Rules モジュールをバージョン 1.2.1 以降にアップデートしてください。このバージョンは CSRF 脆弱性を修正しています。最新バージョンは drupal.org のプロジェクトページからダウンロードするか、Composer を通じてアップデートできます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3211 is a Cross-Site Request Forgery (CSRF) vulnerability in Drupal Theme Negotiation by Rules that allows attackers to perform unauthorized actions.
You are affected if you are using Drupal Theme Negotiation by Rules versions ≤1.2.1. Upgrade to 1.2.1 to mitigate the risk.
Upgrade Drupal Theme Negotiation by Rules to version 1.2.1 or later. Consider implementing CSRF protection mechanisms if immediate upgrade is not possible.
Currently, there are no reports of CVE-2026-3211 being actively exploited, but it is important to apply the patch promptly.
Refer to the official Drupal security advisory for detailed information and updates regarding CVE-2026-3211.
composer.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。