{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0945", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-14T16:52:29.540Z", "datePublished": "2026-02-04T20:25:28.874Z", "dateUpdated": "2026-02-12T13:57:44.840Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/role_delegation", "defaultStatus": "unaffected", "product": "Role Delegation", "repo": "https://git.drupalcode.org/project/role_delegation", "vendor": "Drupal", "versions": [{"lessThan": "1.5.0", "status": "affected", "version": "1.3.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Adam Bramley (acbramley)"}, {"lang": "en", "type": "remediation developer", "value": "Dieter Holvoet (dieterholvoet)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "datePublic": "2026-01-14T17:54:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.<p>This issue affects Role Delegation: from 1.3.0 before 1.5.0.</p>"}], "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-267", "description": "CWE-267 Privilege Defined With Unsafe Actions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:28.874Z"}, "references": [{"url": "https://www.drupal.org/sa-contrib-2026-002"}], "source": {"discovery": "UNKNOWN"}, "title": "Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T13:57:41.636711Z", "id": "CVE-2026-0945", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T13:57:44.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0945", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T13:57:41.636711Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:31:14.796Z"}}], "cna": {"title": "Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Adam Bramley (acbramley)"}, {"lang": "en", "type": "remediation developer", "value": "Dieter Holvoet (dieterholvoet)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/role_delegation", "vendor": "Drupal", "product": "Role Delegation", "versions": [{"status": "affected", "version": "1.3.0", "lessThan": "1.5.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/role_delegation", "defaultStatus": "unaffected"}], "datePublic": "2026-01-14T17:54:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-002"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.<p>This issue affects Role Delegation: from 1.3.0 before 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-267", "description": "CWE-267 Privilege Defined With Unsafe Actions"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:25:28.874Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0945", "state": "PUBLISHED", "dateUpdated": "2026-02-12T13:57:44.840Z", "dateReserved": "2026-01-14T16:52:29.540Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-02-04T20:25:28.874Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:role_delegation_project:role_delegation:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "D39CC1B5-D6C2-4F77-BBCA-9E84E385B8C4", "versionEndExcluding": "8.x-1.5", "versionStartIncluding": "8.x-1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0."}, {"lang": "es", "value": "La vulnerabilidad \"Privilege Defined With Unsafe Actions\" en la delegaci\u00f3n de roles de Drupal permite la escalada de privilegios. Este problema afecta a la delegaci\u00f3n de roles: desde la versi\u00f3n 1.3.0 hasta la 1.5.0."}], "id": "CVE-2026-0945", "lastModified": "2026-04-02T20:35:09.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-04T21:15:58.780", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-002"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-267"}], "source": "mlhess@drupal.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:15:10.890378+00:00", "value": {"mitigation_remediation": ["Update the Role Delegation module to version 1.5.0 or later to apply the vendor fix.", "If a timely update is not possible, disable or remove the Role Delegation module until an updated release is available.", "Revoke any elevated privileges that may have been granted through the module and audit all role assignments for anomalous changes."], "summary": {"action": "Assess Impact", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Drupal Role Delegation is affected in all releases from 1.3.0 up to, but not including, 1.5.0. The module should be identified by the standard Drupal naming for the Role Delegation project. No specific operating system versions are referenced.", "description_and_impact": "Drupal Role Delegation exposes a privilege\u2011defined with unsafe actions flaw that allows an attacker to elevate privileges. The weakness permits a user to gain higher permissions than intended, potentially compromising the confidentiality and integrity of the site. The vulnerability is classified as CWE\u2011267, a privilege\u2011management weakness.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of reporting. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, involves accessing the role delegation configuration through the Drupal administrative interface or leveraging existing authenticated roles to alter role assignments. Exploitation would require the attacker to determine which roles are delegable and then manipulate the hierarchy, but no explicit prerequisites such as administrative or multi\u2011factor authentication bypass are documented."}}}}, "created": "2026-02-05T11:39:26.729739+00:00", "updated": "2026-04-17T23:15:30.815023+00:00", "vendors": ["drupal", "drupal$PRODUCT$role_delegation"]}