it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
- Date: Wed, 14 Jan 2026 17:53:34 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=IJoKioEV; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 672B782F3D
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3BD8682670
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-001
Project: Group invite [1]
Date: 2026-January-14
Security risk: *Moderately critical* 14 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4
CVE IDs: CVE-2026-0944
Description:
This module enables allows group managers to invite people into their group.
The module doesn't sufficiently check access under certain circumstances,
allowing unauthorized users to access the group's content.
This vulnerability is mitigated by the fact that it only occurs when certain
uncommon actions are taken by a user with the permission to create group
invites.
Solution:
Install the latest version:
* If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
[3]
* If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
[4]
* If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4
[5]
Reported By:
* Kevin Quillen (kevinquillen) [6]
Fixed By:
* eduardo morales alberti [7]
* Kevin Quillen (kevinquillen) [8]
* Nikolay Lobachev (lobsterr) [9]
* Ricardo Sanz Ante (tunic) [10]
Coordinated By:
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Juraj Nemec (poker10) [12] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [13]
[1] https://www.drupal.org/project/ginvite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ginvite/releases/2.3.9
[4] https://www.drupal.org/project/ginvite/releases/3.0.4
[5] https://www.drupal.org/project/ginvite/releases/4.0.4
[6] https://www.drupal.org/u/kevinquillen
[7] https://www.drupal.org/u/eduardo-morales-alberti
[8] https://www.drupal.org/u/kevinquillen
[9] https://www.drupal.org/u/lobsterr
[10] https://www.drupal.org/u/tunic
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/poker10
[13] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567529
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001, security-news, 14.01.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.