Description
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access bypass via forceful browsing
Action: Immediate Patch
AI Analysis

Impact

The Drupal Group invite module suffers from an Improper Check for Unusual or Exceptional Conditions flaw that allows forceful browsing of group resource URLs. This can let an attacker sidestep normal group membership checks and view or retrieve content intended for authorized group members only. The weakness is classified as CWE‑754 and results in a moderate violation of confidentiality and integrity for group information.

Affected Systems

The vulnerability affects installations of the Drupal Group invite module with versions from 0.0.0 up to, but not including, 2.3.9, from 3.0.0 up to, but not including, 3.0.4, and from 4.0.0 up to, but not including, 4.0.4. Any Drupal site that has the Group invite module in these affected ranges is susceptible.

Risk and Exploitability

The CVSS score of 5.3 denotes a medium risk, while the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The probable attack path involves manipulating group URLs to force the application to serve pages it normally restricts; the need for authentication is inferred rather than stated explicitly in the advisory. No public exploitation has been reported at this time.

Generated by OpenCVE AI on April 18, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Group invite module to version 2.3.9, 3.0.4, or 4.0.4 or newer.
  • Configure the module or site so that only verified group members can access group pages and resources.
  • Monitor web server logs for unusual requests to group paths and review audit logs for unauthorized access attempts.

Generated by OpenCVE AI on April 18, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-001 cve-icon cve-icon
History

Wed, 11 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Metadrop
Metadrop group Invite
CPEs cpe:2.3:a:metadrop:group_invite:*:*:*:*:*:drupal:*:*
Vendors & Products Metadrop
Metadrop group Invite

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal group Invite
Vendors & Products Drupal
Drupal group Invite

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.
Title Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
Weaknesses CWE-754
References

Subscriptions

Drupal Group Invite
Metadrop Group Invite
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-02-04T20:40:47.035Z

Reserved: 2026-01-14T16:52:28.163Z

Link: CVE-2026-0944

cve-icon Vulnrichment

Updated: 2026-02-04T20:39:53.494Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:15:58.603

Modified: 2026-02-11T19:19:44.440

Link: CVE-2026-0944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses