{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1553", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-28T17:01:08.406Z", "datePublished": "2026-02-04T20:26:22.334Z", "dateUpdated": "2026-02-04T21:21:35.681Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.drupal.org/project/canvas", "defaultStatus": "unaffected", "product": "Drupal Canvas", "repo": "https://git.drupalcode.org/project/canvas", "vendor": "Drupal", "versions": [{"lessThan": "1.0.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "jschref"}, {"lang": "en", "type": "remediation developer", "value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"}, {"lang": "en", "type": "remediation developer", "value": "Matt Glaman (mglaman)"}, {"lang": "en", "type": "remediation developer", "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"}, {"lang": "en", "type": "remediation developer", "value": "Tim Plunkett (tim.plunkett)"}, {"lang": "en", "type": "coordinator", "value": "Alex Bronstein (effulgentsia)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}], "datePublic": "2026-01-28T17:28:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.<p>This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.</p>"}], "value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4."}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:26:22.334Z"}, "references": [{"url": "https://www.drupal.org/sa-contrib-2026-006"}], "source": {"discovery": "UNKNOWN"}, "title": "Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:21:13.798297Z", "id": "CVE-2026-1553", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:21:35.681Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1553", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:21:13.798297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:21:32.635Z"}}], "cna": {"title": "Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "jschref"}, {"lang": "en", "type": "remediation developer", "value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"}, {"lang": "en", "type": "remediation developer", "value": "Matt Glaman (mglaman)"}, {"lang": "en", "type": "remediation developer", "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"}, {"lang": "en", "type": "remediation developer", "value": "Tim Plunkett (tim.plunkett)"}, {"lang": "en", "type": "coordinator", "value": "Alex Bronstein (effulgentsia)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/canvas", "vendor": "Drupal", "product": "Drupal Canvas", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.0.4", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/canvas", "defaultStatus": "unaffected"}], "datePublic": "2026-01-28T17:28:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-006"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.<p>This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-02-04T20:26:22.334Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1553", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:21:35.681Z", "dateReserved": "2026-01-28T17:01:08.406Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-02-04T20:26:22.334Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal_canvas_project:drupal_canvas:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "8C71CD74-430A-41FC-85C5-7839D57819B6", "versionEndExcluding": "1.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4."}], "id": "CVE-2026-1553", "lastModified": "2026-02-11T19:19:03.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-04T21:15:59.267", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-006"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:13:55.284728+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Canvas to version 1.0.4 or later, where the access check has been corrected.", "Verify that access control rules for Canvas content are properly configured to restrict roles and permissions.", "As a temporary workaround, configure the web server or application firewall to block direct access to known Canvas endpoints for unauthenticated users, such as by adding .htaccess restrictions or IP-based rules."], "summary": {"action": "Patch", "impact": "Forceful Browsing \u2013 unauthorized access to restricted resources"}, "threat_synthesis": {"affected_systems": "Drupal Canvas versions before 1.0.4 are affected. Any deployment using Drupal Canvas 0.0.0 up to 1.0.3 is vulnerable.", "description_and_impact": "This vulnerability is an incorrect authorization flaw that allows attackers to perform forceful browsing of content that should be restricted. By directly requesting URLs that the system should protect, an unauthorized user can access files, pages, or resources that are meant to be hidden from unauthenticated or non\u2011privileged users. The weakness is identified as CWE\u2011863, indicating a failure of policy enforcement in the authorization mechanism. The impact is loss of confidentiality for protected data and potential damage to the integrity and trustworthiness of the application.", "risk_and_exploitability": "The CVSS score of 4.8 classifies this flaw as medium severity, and the EPSS score, which is below 1%, indicates a low probability of exploitation. The vulnerability is not currently cataloged in the CISA Known Exploited Vulnerabilities database. The likely attack vector is a remote HTTP request to unauthorized resources, inferred from the forceful browsing behavior described. In practice, an attacker can construct URLs to restricted content; if the application fails to enforce the correct access controls (CWE\u2011863), the content is returned to the requester without authentication or authorization. No additional prerequisites are listed, implying that the vulnerability can be leveraged by anyone who can access the web interface."}}}}, "created": "2026-02-05T11:39:24.403924+00:00", "updated": "2026-04-17T23:15:30.813286+00:00", "vendors": ["drupal", "drupal$PRODUCT$canvas"]}