Description
Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing.

This issue affects Date iCal: from 0.0.0 before 4.0.15.
Published: 2026-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the Drupal Date iCal module permits forceful browsing, allowing attackers to access calendar data that should be restricted. This vulnerability can lead to unintended exposure of potentially sensitive scheduling information and may compromise user privacy. The weakness is classified as Missing Authorization, indicating that the system does not properly verify that a user is permitted to view the requested resource.

Affected Systems

The Drupal Date iCal module, versions starting at 0.0.0 and any release before 4.0.15, is affected. Users running these unpatched releases should assess whether the module is in use and whether calendar data is publicly exposed.

Risk and Exploitability

Because the flaw is a straightforward lack of access checks, the likelihood of exploitation is high in environments where the module is deployed and exposed. An attacker would simply request known or guessed iCal URLs without authentication, and if the system does not enforce authorization, sensitive data would be returned. The CVSS score of 9.8 indicates a critical severity, and the EPSS score of < 1% shows that while the overall exploitation probability is low across all systems, the vulnerability remains a high risk in environments where the module is present. The vulnerability is not listed in CISA's KEV catalog. The impact is limited to a confidentiality breach rather than full system compromise.

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Date iCal module to version 4.0.15 or later
  • Enforce proper authorization checks on all iCal endpoints to prevent forceful browsing
  • Restrict or remove publicly accessible paths that expose calendar data

Generated by OpenCVE AI on May 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-037 cve-icon cve-icon
History

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Date Ical Project
Date Ical Project date Ical
CPEs cpe:2.3:a:date_ical_project:date_ical:*:*:*:*:*:drupal:*:*
Vendors & Products Date Ical Project
Date Ical Project date Ical

Wed, 20 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal date Ical
Vendors & Products Drupal
Drupal date Ical

Tue, 19 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.
Title Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
Weaknesses CWE-862
References

Subscriptions

Date Ical Project Date Ical
Drupal Date Ical
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-20T16:35:44.458Z

Reserved: 2026-05-13T16:55:31.986Z

Link: CVE-2026-8495

cve-icon Vulnrichment

Updated: 2026-05-20T15:54:19.643Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T23:16:59.117

Modified: 2026-05-27T15:14:11.787

Link: CVE-2026-8495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:36Z

Weaknesses