A missing authorization flaw in the Drupal Date iCal module permits forceful browsing, allowing attackers to access calendar data that should be restricted. This vulnerability can lead to unintended exposure of potentially sensitive scheduling information and may compromise user privacy. The weakness is classified as Missing Authorization, indicating that the system does not properly verify that a user is permitted to view the requested resource.

The Drupal Date iCal module, versions starting at 0.0.0 and any release before 4.0.15, is affected. Users running these unpatched releases should assess whether the module is in use and whether calendar data is publicly exposed.

No EPSS score is currently available, and the vulnerability is not listed in CISA's KEV catalog. Because the flaw is a straightforward lack of access checks, the likelihood of exploitation is high in environments where the module is deployed and exposed. An attacker would simply request known or guessed iCal URLs without authentication, and if the system does not enforce authorization, sensitive data would be returned. The impact is limited to confidentiality breach rather than a full system compromise.