プラットフォーム
drupal
コンポーネント
drupal
修正版
1.7.0
2.0.2
8.0.1
A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Automated Logout, allowing attackers to potentially perform unauthorized actions. This flaw impacts versions ranging from 2.0.0 up to 8.x-1.7. The vulnerability has been resolved in version 2.0.2, and users are strongly advised to upgrade.
This CSRF vulnerability allows an attacker to trick a logged-in user into unknowingly performing actions they did not intend. Successful exploitation could lead to unauthorized modifications of Automated Logout settings, potentially impacting user session management and security policies within the Drupal site. The attacker needs to craft a malicious request that the user unknowingly submits, leveraging their authenticated session. While the direct impact may seem limited to the Automated Logout module, a compromised configuration could have broader implications for site security.
CVE-2026-4393 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's impact is considered medium, and it is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the availability of the CVE details increases the risk of potential attacks.
Websites using Drupal with the Automated Logout module installed, particularly those running vulnerable versions (2.0.0–8.x-1.7). Sites with less stringent access controls to the Automated Logout configuration are at higher risk.
• drupal / module: Check Drupal module versions for Automated Logout.
drush pm-info --title --core --modules --themes --profiles | grep Automated Logout• drupal / configuration: Review Automated Logout configuration settings for unexpected changes. • generic web: Monitor access logs for suspicious requests targeting Automated Logout endpoints.
disclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CVSS ベクトル
The primary mitigation is to upgrade Drupal Automated Logout to version 2.0.2 or later. If immediate upgrading is not feasible, consider implementing strict input validation and output encoding within the Automated Logout module to prevent malicious requests. Additionally, implement CSRF protection mechanisms at the Drupal application level, such as using CSRF tokens for all sensitive operations. Review and restrict access to Automated Logout configuration pages to authorized personnel only.
Automated Logoutモジュールをバージョン1.7.0以降、またはバージョン2.0.2以降にアップデートしてください。これにより、クロスサイトリクエストフォージェリ (CSRF) の脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4393 is a Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Automated Logout module, allowing attackers to perform unauthorized actions if users unknowingly submit malicious requests.
You are affected if you are using Drupal Automated Logout versions 2.0.0–8.x-1.7. Upgrade to version 2.0.2 to mitigate the risk.
Upgrade Drupal Automated Logout to version 2.0.2 or later. Implement CSRF protection mechanisms at the Drupal application level as an interim measure.
Active exploitation is not currently confirmed, but the vulnerability is publicly known, increasing the potential for attacks.
Refer to the official Drupal security advisory for CVE-2026-4393 on the Drupal website for detailed information and updates.
composer.lock ファイルをアップロードすると、影響の有無を即座にお知らせします。