Plataforma
drupal
Componente
drupal
Corrigido em
3.1.0
3.1.1
CVE-2026-3527 describes a Missing Authentication vulnerability affecting the Drupal AJAX Dashboard module. This flaw allows attackers to bypass access control security levels, potentially gaining unauthorized access to sensitive data or functionality. The vulnerability impacts versions of the module prior to 3.1.0. A fix is available in version 3.1.0.
The Missing Authentication vulnerability in Drupal AJAX Dashboard allows an attacker to exploit incorrectly configured access control security levels. This means an attacker who can craft a malicious request can potentially access administrative functions or data they should not have access to. The blast radius depends on the specific configuration of the Drupal site and the permissions granted within the AJAX Dashboard module. Successful exploitation could lead to unauthorized modifications of site content, user account manipulation, or even complete site takeover, depending on the attacker's ability to leverage the bypassed access controls.
CVE-2026-3527 was publicly disclosed on 2026-03-26. No public proof-of-concept (POC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not listed on the CISA KEV catalog.
Drupal sites utilizing the AJAX Dashboard module, especially those with custom access control configurations or legacy deployments, are at risk. Shared hosting environments where multiple Drupal sites share the same server resources may also be affected if one site is vulnerable.
• drupal: Check the version of the AJAX Dashboard module using drush pm-info ajax_dashboard. Look for versions prior to 3.1.0.
• drupal: Review AJAX Dashboard access control configurations in the Drupal administration interface. Ensure that only authorized users have access to sensitive functions.
• generic web: Monitor access logs for unusual requests targeting AJAX Dashboard endpoints, particularly those originating from unauthorized users.
disclosure
Status do Exploit
EPSS
0.04% (percentil 13%)
Vetor CVSS
The primary mitigation for CVE-2026-3527 is to upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. If upgrading is not immediately feasible, review and strictly enforce access control configurations within the AJAX Dashboard module to minimize potential exposure. Ensure that only authorized users have access to sensitive functions. Consider implementing Web Application Firewall (WAF) rules to block suspicious requests targeting the AJAX Dashboard endpoints. After upgrade, confirm the fix by attempting to access restricted AJAX Dashboard functions with a non-administrative user account.
Atualize o módulo AJAX Dashboard para a versão 3.1.0 ou superior. Esta versão corrige a vulnerabilidade de omissão de autenticação que permite a exploração incorreta dos níveis de segurança de controle de acesso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-3527 is a missing authentication vulnerability in Drupal AJAX Dashboard versions prior to 3.1.0, allowing attackers to bypass access controls.
You are affected if your Drupal site uses the AJAX Dashboard module and is running a version earlier than 3.1.0.
Upgrade the Drupal AJAX Dashboard module to version 3.1.0 or later. Review and strengthen access control configurations in the meantime.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official Drupal security advisory for CVE-2026-3527 on the Drupal website.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo composer.lock e descubra na hora se você está afetado.