This vulnerability is an incorrect authorization flaw that allows attackers to perform forceful browsing of content that should be restricted. By directly requesting URLs that the system should protect, an unauthorized user can access files, pages, or resources that are meant to be hidden from unauthenticated or non‑privileged users. The weakness is identified as CWE‑863, indicating a failure of policy enforcement in the authorization mechanism. The impact is loss of confidentiality for protected data and potential damage to the integrity and trustworthiness of the application.

Drupal Canvas versions before 1.0.4 are affected. Any deployment using Drupal Canvas 0.0.0 up to 1.0.3 is vulnerable.

The CVSS score of 4.8 classifies this flaw as medium severity, and the EPSS score, which is below 1%, indicates a low probability of exploitation. The vulnerability is not currently cataloged in the CISA Known Exploited Vulnerabilities database. The likely attack vector is a remote HTTP request to unauthorized resources, inferred from the forceful browsing behavior described. In practice, an attacker can construct URLs to restricted content; if the application fails to enforce the correct access controls (CWE‑863), the content is returned to the requester without authentication or authorization. No additional prerequisites are listed, implying that the vulnerability can be leveraged by anyone who can access the web interface.