Description
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Resource Injection
Action: Immediate Patch
AI Analysis

Impact

Drupal AI (Artificial Intelligence) suffers a missing authorization check that allows attackers to inject resources and view sensitive data they are not permitted to access. This flaw can lead to the disclosure of confidential information and may enable attackers to gather additional context for further attacks. The weakness maps to CWE‑863, an authorization error that permits illicit resource access.

Affected Systems

The vulnerability affects the Drupal AI (Artificial Intelligence) module. All releases from the initial 0.0.0 build up to before 1.1.11 and from 1.2.0 up to before 1.2.12 are impacted.

Risk and Exploitability

With a CVSS score of 7.5, the flaw is considered moderately severe. The EPSS score of less than 1% indicates low current exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via unauthorized web requests to the AI module’s endpoints, exploiting the missing authorization safeguard. Mitigation requires applying the vendor‑issued patch or upgrading to a version beyond 1.1.11 or 1.2.12 to eliminate the flaw.

Generated by OpenCVE AI on April 1, 2026 at 06:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Drupal AI (Artificial Intelligence) patch that addresses the authorization flaw.
  • Ensure that the system is upgraded to AI (Artificial Intelligence) version 1.1.11 or later, and 1.2.12 or later, for all components.
  • If an immediate upgrade is not possible, restrict external access to the AI module by configuring firewall rules or role‑based access controls to block unauthorized requests.

Generated by OpenCVE AI on April 1, 2026 at 06:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-028 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Artificial Intelligence Project
Artificial Intelligence Project artificial Intelligence
CPEs cpe:2.3:a:artificial_intelligence_project:artificial_intelligence:*:*:*:*:*:drupal:*:*
Vendors & Products Artificial Intelligence Project
Artificial Intelligence Project artificial Intelligence

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal artificial Intelligence
Vendors & Products Drupal
Drupal artificial Intelligence

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Title AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
Weaknesses CWE-863
References

Subscriptions

Drupal Artificial Intelligence
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-30T14:54:43.980Z

Reserved: 2026-03-04T21:17:43.868Z

Link: CVE-2026-3573

cve-icon Vulnrichment

Updated: 2026-03-30T14:40:50.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:09.557

Modified: 2026-03-31T20:41:55.700

Link: CVE-2026-3573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:23Z

Weaknesses