{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3573", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T21:17:43.868Z", "datePublished": "2026-03-26T20:10:13.350Z", "dateUpdated": "2026-03-26T20:10:13.350Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}, "title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "datePublic": "2026-03-11T16:33:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"vendor": "Drupal", "product": "AI (Artificial Intelligence)", "collectionURL": "https://www.drupal.org/project/ai", "repo": "https://git.drupalcode.org/project/ai", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "credits": [{"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "finder"}, {"lang": "en", "value": "Artem Dmitriiev (a.dmitriiev)", "type": "remediation developer"}, {"lang": "en", "value": "Abhisek Mazumdar (abhisekmazumdar)", "type": "remediation developer"}, {"lang": "en", "value": "Dave Long (longwave)", "type": "remediation developer"}, {"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "remediation developer"}, {"lang": "en", "value": "Valery Lourie (valthebald)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12."}], "id": "CVE-2026-3573", "lastModified": "2026-03-26T21:17:09.557", "metrics": {}, "published": "2026-03-26T21:17:09.557", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-028"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.12)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "AI (Artificial Intelligence)", "source": "cna", "vendor": "Drupal"}, "product": "artificial_intelligence", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:52:09.556350+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal AI to version 1.1.11 or later, or to 1.2.12 or later, to eliminate the incorrect authorization flaw.", "Confirm that, after upgrading, resource handling is no longer exposed to users without appropriate permissions.", "If an upgrade cannot be performed immediately, restrict permissions for the Drupal AI module and monitor for anomalous resource injection attempts."], "summary": {"action": "Patch Update", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Drupal AI (Artificial Intelligence) is affected. Vulnerable releases include 0.0.0 through 1.1.10, and 1.2.0 through 1.2.11.", "description_and_impact": "The vulnerability is an incorrect authorization flaw that permits attackers to inject arbitrary resources into the Drupal AI (Artificial Intelligence) module. This flaw, categorized as CWE\u2011863, can lead to the inadvertent exposure of sensitive data that should have been protected by access controls.", "risk_and_exploitability": "EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently documented. It is inferred that the likely attack vector involves exploiting incorrect authorization, allowing a user with valid or spoofed credentials to perform resource injection that exposes confidential information. Because the flaw depends on bypassing module-level access checks, an attacker who can authenticate to the site (or compromise an authenticated user) can send crafted requests to trigger the injection without needing elevated privileges. The overall risk is moderate, as the vulnerability can affect confidentiality but does not enable broader system compromise."}}}}, "created": "2026-03-27T08:32:09.021401+00:00", "updated": "2026-03-27T09:23:37.313173+00:00", "vendors": ["drupal", "drupal$PRODUCT$artificial_intelligence"]}