Description
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to critical functionality
Action: Apply patch
AI Analysis

Impact

The vulnerability is a missing authentication for a critical function in Drupal AJAX Dashboard, caused by incorrectly configured access control levels. Attackers can invoke privileged actions that should be restricted, potentially modifying data or exposing sensitive information. This weakness is classified as CWE‑306.

Affected Systems

The issue affects Drupal AJAX Dashboard for all releases from the initial 0.0.0 version through the version just before 3.1.0. Users of any earlier release are impacted.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity, while the EPSS score of less than 1 % implies a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector is not explicitly stated in the CVE data, it is inferred that the flaw can be triggered via a web request to the AJAX Dashboard’s endpoint by a user who should not have access to the protected function. The risk remains moderate due to the potential for unauthorized use of critical functionality.

Generated by OpenCVE AI on April 1, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drupal AJAX Dashboard to version 3.1.0 or later.
  • Verify that the dashboard’s access control settings enforce authentication for all critical functions.
  • Restrict the AJAX Dashboard endpoint to trusted user roles only.
  • Monitor system logs for suspicious requests to the dashboard endpoint.
  • Keep Drupal core and all contributed modules updated regularly.

Generated by OpenCVE AI on April 1, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-022 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ceriumsoft
Ceriumsoft ajax Dashboard
CPEs cpe:2.3:a:ceriumsoft:ajax_dashboard:*:*:*:*:*:drupal:*:*
Vendors & Products Ceriumsoft
Ceriumsoft ajax Dashboard

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal ajax Dashboard
Vendors & Products Drupal
Drupal ajax Dashboard

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.
Title AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Weaknesses CWE-306
References

Subscriptions

Ceriumsoft Ajax Dashboard
Drupal Ajax Dashboard
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T18:14:54.400Z

Reserved: 2026-03-04T16:41:55.560Z

Link: CVE-2026-3527

cve-icon Vulnrichment

Updated: 2026-03-27T18:13:55.262Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.757

Modified: 2026-03-31T20:34:26.810

Link: CVE-2026-3527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:29Z

Weaknesses