it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
- Date: Wed, 14 Jan 2026 17:54:34 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=AgZ1+m2q; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1CCE783163
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 79DD280D4B
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-002
Project: Role Delegation [1]
Date: 2026-January-14
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=1.3.0 <1.5.0
CVE IDs: CVE-2026-0945
Description:
This module allows site administrators to grant specific roles the authority
to assign selected roles to users, without them needing the "administer
permissions" permission.
The module contains an access bypass vulnerability when used in combination
with the Views Bulk Operations module. A user with the ability to delegate a
role is also able to assign the administrator role, including to their own
user.
This vulnerability is mitigated by the fact that an attacker must have access
to a view of users with the Views Bulk Operations module enabled.
Solution:
Install the latest version:
* If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to
Role Delegation 8.x-1.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Adam Bramley (acbramley) [5]
* Dieter Holvoet (dieterholvoet) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [10]
[1] https://www.drupal.org/project/role_delegation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/role_delegation/releases/8.x-1.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/acbramley
[6] https://www.drupal.org/u/dieterholvoet
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/poker10
[10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567530
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002, security-news, 14.01.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.