{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0944", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-14T16:52:28.163Z", "datePublished": "2026-02-04T20:25:17.113Z", "dateUpdated": "2026-02-04T20:40:47.035Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/ginvite", "defaultStatus": "unaffected", "product": "Group invite", "repo": "https://git.drupalcode.org/project/ginvite", "vendor": "Drupal", "versions": [{"lessThan": "2.3.9", "status": "affected", "version": "0.0.0", "versionType": "semver"}, {"lessThan": "3.0.4", "status": "affected", "version": "3.0.0", "versionType": "semver"}, {"lessThan": "4.0.4", "status": "affected", "version": "4.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kevin Quillen (kevinquillen)"}, {"lang": "en", "type": "remediation developer", "value": "eduardo morales alberti"}, {"lang": "en", "type": "remediation developer", "value": "Kevin Quillen (kevinquillen)"}, {"lang": "en", "type": "remediation developer", "value": "Nikolay Lobachev (lobsterr)"}, {"lang": "en", "type": "remediation developer", "value": "Ricardo Sanz Ante (tunic)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "datePublic": "2026-01-14T17:53:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.<p>This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.</p>"}], "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4."}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:17.113Z"}, "references": [{"url": "https://www.drupal.org/sa-contrib-2026-001"}], "source": {"discovery": "UNKNOWN"}, "title": "Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T20:40:24.280905Z", "id": "CVE-2026-0944", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:40:47.035Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T20:40:24.280905Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:39:53.494Z"}}], "cna": {"title": "Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kevin Quillen (kevinquillen)"}, {"lang": "en", "type": "remediation developer", "value": "eduardo morales alberti"}, {"lang": "en", "type": "remediation developer", "value": "Kevin Quillen (kevinquillen)"}, {"lang": "en", "type": "remediation developer", "value": "Nikolay Lobachev (lobsterr)"}, {"lang": "en", "type": "remediation developer", "value": "Ricardo Sanz Ante (tunic)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ginvite", "vendor": "Drupal", "product": "Group invite", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.3.9", "versionType": "semver"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.0.4", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.4", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ginvite", "defaultStatus": "unaffected"}], "datePublic": "2026-01-14T17:53:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-001"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.<p>This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-754", "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:17.113Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0944", "state": "PUBLISHED", "dateUpdated": "2026-02-04T20:40:47.035Z", "dateReserved": "2026-01-14T16:52:28.163Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-02-04T20:25:17.113Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:metadrop:group_invite:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "4051913C-ED82-48A0-B44B-C94BC22A15FB", "versionEndExcluding": "2.3.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:metadrop:group_invite:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "706621E6-B586-46B8-9161-A85CEA9497B8", "versionEndExcluding": "3.0.4", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:metadrop:group_invite:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "40921C8A-8A8D-4578-B36E-31C66491CCF9", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4."}], "id": "CVE-2026-0944", "lastModified": "2026-02-11T19:19:44.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-04T21:15:58.603", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-001"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:45:20.313007+00:00", "value": {"mitigation_remediation": ["Upgrade the Group invite module to version 2.3.9, 3.0.4, or 4.0.4 or newer.", "Configure the module or site so that only verified group members can access group pages and resources.", "Monitor web server logs for unusual requests to group paths and review audit logs for unauthorized access attempts."], "summary": {"action": "Immediate Patch", "impact": "Access bypass via forceful browsing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the Drupal Group invite module with versions from 0.0.0 up to, but not including, 2.3.9, from 3.0.0 up to, but not including, 3.0.4, and from 4.0.0 up to, but not including, 4.0.4. Any Drupal site that has the Group invite module in these affected ranges is susceptible.", "description_and_impact": "The Drupal Group invite module suffers from an Improper Check for Unusual or Exceptional Conditions flaw that allows forceful browsing of group resource URLs. This can let an attacker sidestep normal group membership checks and view or retrieve content intended for authorized group members only. The weakness is classified as CWE\u2011754 and results in a moderate violation of confidentiality and integrity for group information.", "risk_and_exploitability": "The CVSS score of 5.3 denotes a medium risk, while the EPSS score of less than 1% indicates a very low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The probable attack path involves manipulating group URLs to force the application to serve pages it normally restricts; the need for authentication is inferred rather than stated explicitly in the advisory. No public exploitation has been reported at this time."}}}}, "created": "2026-02-05T11:39:43.604394+00:00", "updated": "2026-04-18T13:45:45.684062+00:00", "vendors": ["drupal", "drupal$PRODUCT$group_invite"]}