{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4393", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-18T15:21:32.561Z", "datePublished": "2026-03-26T20:10:40.090Z", "dateUpdated": "2026-03-26T20:10:40.090Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:40.090Z"}, "title": "Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030", "datePublic": "2026-03-18T16:10:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "Drupal", "product": "Automated Logout", "collectionURL": "https://www.drupal.org/project/autologout", "repo": "https://git.drupalcode.org/project/autologout", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.<p>This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-030"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Ajit Shinde (ajits)", "type": "remediation developer"}, {"lang": "en", "value": "Jakob P (japerry)", "type": "remediation developer"}, {"lang": "en", "value": "Gareth Alexander (the_g_bomb)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2."}], "id": "CVE-2026-4393", "lastModified": "2026-03-26T21:17:10.220", "metrics": {}, "published": "2026-03-26T21:17:10.220", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-030"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Automated Logout", "source": "cna", "vendor": "Drupal"}, "product": "automated_logout", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:51:54.321798+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal Automated Logout module to version 1.7.0 or later, or to version 2.0.2 or later", "If the module is not needed for site functionality, disable or remove it entirely", "Verify that the site\u2019s CSRF protection mechanisms remain enabled and correctly configured"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Automated Logout module in all releases prior to 1.7.0 of the 1.x series and prior to 2.0.2 of the 2.x series.", "description_and_impact": "A Cross\u2011Site Request Forgery vulnerability exists in the Drupal Automated Logout module. The flaw allows an attacker to trigger the logout action without the user\u2019s consent by sending a crafted request. Because the module does not verify the request source, an attacker can force a logged\u2011in user to be logged out from the site.", "risk_and_exploitability": "The flaw can be exploited remotely with a crafted request that a logged\u2011in user clicks or follows. No authentication on the target system is required, but the victim must already be logged in. The EPSS score is not available and not listed in the CISA Known Exploited Vulnerabilities catalog, so a specific risk rating is not provided."}}}}, "created": "2026-03-27T08:32:07.106368+00:00", "updated": "2026-03-27T09:23:35.158046+00:00", "vendors": ["drupal", "drupal$PRODUCT$automated_logout"]}