Description
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via forceful browsing
Action: Patch immediately
AI Analysis

Impact

The vulnerability arises from incorrect authorization checks in Drupal's Material Icons module. An attacker can forcefully browse to assets or URLs that should be restricted, exposing potentially sensitive content. This weakness maps to CWE‑863, which deals with improper authorization. The primary consequence is that users or attackers gain access to resources that should be protected, undermining confidentiality but not directly affecting system availability or integrity.

Affected Systems

Drupal website operators using the Material Icons module are impacted. Versions starting from the initial release up to, but not including, 2.0.4 are vulnerable. If your site runs an older version of this module on Drupal, it is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1 % suggests that the exploit probability is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit the flaw by manipulating URLs or requests to access the protected content, a typical forceful browsing scenario. While exploitation risk remains moderate, the potential impact on confidential material warrants prompt attention.

Generated by OpenCVE AI on April 1, 2026 at 05:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Material Icons module to version 2.0.4 or later.
  • Verify that the updated module retains proper authorization checks in your Drupal environment.

Generated by OpenCVE AI on April 1, 2026 at 05:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-011 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Imagexmedia
Imagexmedia material Icons
CPEs cpe:2.3:a:imagexmedia:material_icons:*:*:*:*:*:drupal:*:*
Vendors & Products Imagexmedia
Imagexmedia material Icons

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal material Icons
Vendors & Products Drupal
Drupal material Icons

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
Title Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
Weaknesses CWE-863
References

Subscriptions

Drupal Material Icons
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-26T14:34:55.742Z

Reserved: 2026-02-25T16:59:24.447Z

Link: CVE-2026-3210

cve-icon Vulnrichment

Updated: 2026-03-25T20:03:07.380Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:21.940

Modified: 2026-03-31T19:22:12.583

Link: CVE-2026-3210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:14Z

Weaknesses