{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3527", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:55.560Z", "datePublished": "2026-03-26T20:03:05.935Z", "dateUpdated": "2026-03-26T20:03:05.935Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:05.935Z"}, "title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022", "datePublic": "2026-03-04T17:57:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Drupal", "product": "AJAX Dashboard", "collectionURL": "https://www.drupal.org/project/ajax_dashboard", "repo": "https://git.drupalcode.org/project/ajax_dashboard", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-022"}], "credits": [{"lang": "en", "value": "Juraj Nemec (poker10)", "type": "finder"}, {"lang": "en", "value": "Michael Nolan (laboratory.mike)", "type": "remediation developer"}, {"lang": "en", "value": "Bram Driesen (bramdriesen)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0."}], "id": "CVE-2026-3527", "lastModified": "2026-03-26T21:17:08.757", "metrics": {}, "published": "2026-03-26T21:17:08.757", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-022"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,3.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AJAX Dashboard", "source": "cna", "vendor": "Drupal"}, "product": "ajax_dashboard", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T23:05:20.540469+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading Drupal AJAX Dashboard to version 3.1.0 or later.", "Configure the module so that AJAX endpoints require authentication and assign appropriate roles to access them.", "If an upgrade cannot be performed immediately, restrict the dashboard URL in the web server or Drupal configuration to permit only authenticated users.", "Monitor access logs for any unauthorized attempts to reach the AJAX Dashboard endpoint."], "summary": {"action": "Update", "impact": "Unauthorized Access to Critical Functions"}, "threat_synthesis": {"affected_systems": "The Drupal AJAX Dashboard module is affected for all releases from its initial version 0.0.0 up to, but not including, version 3.1.0. The module is incorporated into Drupal sites that expose AJAX\u2011based administrative or monitoring interfaces, so any site running a vulnerable version has a potential entry point for exploitation.", "description_and_impact": "This vulnerability is a missing authentication flaw that allows an attacker to invoke critical operations within the Drupal AJAX Dashboard without possessing proper credentials. The weakness is identified as CWE\u2011306, indicating that the system fails to enforce necessary checks before granting access to a sensitive function. As a result, an unauthenticated user who reaches the affected endpoint can trigger privileged actions that are normally restricted to authenticated users.", "risk_and_exploitability": "No CVSS score or publicly available exploit probability metric exists for this vulnerability. The event is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a web request to the AJAX endpoint that bypasses authentication checks; this is inferred from the description of missing authentication. Exploitation requires network access to the Drupal instance and that the dashboard endpoint is reachable. The impact is the execution of privileged functions by an unauthenticated user, but the CVE data does not indicate any evidence of remote code execution or further privilege escalation."}}}}, "created": "2026-03-27T08:32:17.214797+00:00", "updated": "2026-03-27T09:23:46.138790+00:00", "vendors": ["drupal", "drupal$PRODUCT$ajax_dashboard"]}