{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3573", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T21:17:43.868Z", "datePublished": "2026-03-26T20:10:13.350Z", "dateUpdated": "2026-03-30T14:54:43.980Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}, "title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "datePublic": "2026-03-11T16:33:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"vendor": "Drupal", "product": "AI (Artificial Intelligence)", "collectionURL": "https://www.drupal.org/project/ai", "repo": "https://git.drupalcode.org/project/ai", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "credits": [{"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "finder"}, {"lang": "en", "value": "Artem Dmitriiev (a.dmitriiev)", "type": "remediation developer"}, {"lang": "en", "value": "Abhisek Mazumdar (abhisekmazumdar)", "type": "remediation developer"}, {"lang": "en", "value": "Dave Long (longwave)", "type": "remediation developer"}, {"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "remediation developer"}, {"lang": "en", "value": "Valery Lourie (valthebald)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:40:38.581589Z", "id": "CVE-2026-3573", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:43.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3573", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:40:38.581589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:40:50.719Z"}}], "cna": {"title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Artem Dmitriiev (a.dmitriiev)"}, {"lang": "en", "type": "remediation developer", "value": "Abhisek Mazumdar (abhisekmazumdar)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Valery Lourie (valthebald)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ai", "vendor": "Drupal", "product": "AI (Artificial Intelligence)", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ai", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T16:33:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3573", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:43.980Z", "dateReserved": "2026-03-04T21:17:43.868Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:13.350Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artificial_intelligence_project:artificial_intelligence:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "71AE206A-B714-49CF-8581-AB8B167F0C05", "versionEndExcluding": "1.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:artificial_intelligence_project:artificial_intelligence:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "B8C36E65-EE16-4222-BA85-3A449B810D5C", "versionEndExcluding": "1.2.12", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal IA (Inteligencia Artificial) permite la inyecci\u00f3n de recursos. Este problema afecta a IA (Inteligencia Artificial): desde 0.0.0 antes de 1.1.11, desde 1.2.0 antes de 1.2.12."}], "id": "CVE-2026-3573", "lastModified": "2026-03-31T20:41:55.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.557", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-028"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.12)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "AI (Artificial Intelligence)", "source": "cna", "vendor": "Drupal"}, "product": "artificial_intelligence", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T06:47:26.024223+00:00", "value": {"mitigation_remediation": ["Apply the latest Drupal AI (Artificial Intelligence) patch that addresses the authorization flaw.", "Ensure that the system is upgraded to AI (Artificial Intelligence) version 1.1.11 or later, and 1.2.12 or later, for all components.", "If an immediate upgrade is not possible, restrict external access to the AI module by configuring firewall rules or role\u2011based access controls to block unauthorized requests."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure via Resource Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal AI (Artificial Intelligence) module. All releases from the initial 0.0.0 build up to before 1.1.11 and from 1.2.0 up to before 1.2.12 are impacted.", "description_and_impact": "Drupal AI (Artificial Intelligence) suffers a missing authorization check that allows attackers to inject resources and view sensitive data they are not permitted to access. This flaw can lead to the disclosure of confidential information and may enable attackers to gather additional context for further attacks. The weakness maps to CWE\u2011863, an authorization error that permits illicit resource access.", "risk_and_exploitability": "With a CVSS score of 7.5, the flaw is considered moderately severe. The EPSS score of less than 1% indicates low current exploitation probability, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via unauthorized web requests to the AI module\u2019s endpoints, exploiting the missing authorization safeguard. Mitigation requires applying the vendor\u2011issued patch or upgrading to a version beyond 1.1.11 or 1.2.12 to eliminate the flaw."}}}}, "created": "2026-03-27T08:32:09.021401+00:00", "updated": "2026-04-02T07:56:23.190228+00:00", "vendors": ["drupal", "drupal$PRODUCT$artificial_intelligence"]}