{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3527", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:55.560Z", "datePublished": "2026-03-26T20:03:05.935Z", "dateUpdated": "2026-03-27T18:14:54.400Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:05.935Z"}, "title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022", "datePublic": "2026-03-04T17:57:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Drupal", "product": "AJAX Dashboard", "collectionURL": "https://www.drupal.org/project/ajax_dashboard", "repo": "https://git.drupalcode.org/project/ajax_dashboard", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-022"}], "credits": [{"lang": "en", "value": "Juraj Nemec (poker10)", "type": "finder"}, {"lang": "en", "value": "Michael Nolan (laboratory.mike)", "type": "remediation developer"}, {"lang": "en", "value": "Bram Driesen (bramdriesen)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:14:37.894325Z", "id": "CVE-2026-3527", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:14:54.400Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:14:37.894325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:13:55.262Z"}}], "cna": {"title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "remediation developer", "value": "Michael Nolan (laboratory.mike)"}, {"lang": "en", "type": "coordinator", "value": "Bram Driesen (bramdriesen)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ajax_dashboard", "vendor": "Drupal", "product": "AJAX Dashboard", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "3.1.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ajax_dashboard", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T17:57:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-022"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:05.935Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3527", "state": "PUBLISHED", "dateUpdated": "2026-03-27T18:14:54.400Z", "dateReserved": "2026-03-04T16:41:55.560Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:03:05.935Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ceriumsoft:ajax_dashboard:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "8DD45B0F-9DCC-4715-BA1B-1653924E4783", "versionEndExcluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0."}, {"lang": "es", "value": "Vulnerabilidad de autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica en Drupal AJAX Dashboard permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a AJAX Dashboard: desde 0.0.0 anterior a 3.1.0."}], "id": "CVE-2026-3527", "lastModified": "2026-03-31T20:34:26.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.757", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-022"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,3.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AJAX Dashboard", "source": "cna", "vendor": "Drupal"}, "product": "ajax_dashboard", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T06:48:03.742318+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal AJAX Dashboard to version 3.1.0 or later.", "Verify that the dashboard\u2019s access control settings enforce authentication for all critical functions.", "Restrict the AJAX Dashboard endpoint to trusted user roles only.", "Monitor system logs for suspicious requests to the dashboard endpoint.", "Keep Drupal core and all contributed modules updated regularly."], "summary": {"action": "Apply patch", "impact": "Unauthorized access to critical functionality"}, "threat_synthesis": {"affected_systems": "The issue affects Drupal AJAX Dashboard for all releases from the initial 0.0.0 version through the version just before 3.1.0. Users of any earlier release are impacted.", "description_and_impact": "The vulnerability is a missing authentication for a critical function in Drupal AJAX Dashboard, caused by incorrectly configured access control levels. Attackers can invoke privileged actions that should be restricted, potentially modifying data or exposing sensitive information. This weakness is classified as CWE\u2011306.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates a medium severity, while the EPSS score of less than 1\u202f% implies a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector is not explicitly stated in the CVE data, it is inferred that the flaw can be triggered via a web request to the AJAX Dashboard\u2019s endpoint by a user who should not have access to the protected function. The risk remains moderate due to the potential for unauthorized use of critical functionality."}}}}, "created": "2026-03-27T08:32:17.214797+00:00", "updated": "2026-04-02T07:56:29.811698+00:00", "vendors": ["drupal", "drupal$PRODUCT$ajax_dashboard"]}