it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
- Date: Wed, 28 Jan 2026 17:28:32 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=LzArLa8f; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7D0D5403FB
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4102A82451
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-006
Project: Drupal Canvas [1]
Date: 2026-January-28
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.0.4
CVE IDs: CVE-2026-1553
Description:
This Drupal Canvas module is a new visual page builder for Drupal. You can
create reusable components that match your design system, drag them onto a
page, edit content in place, preview changes across multiple pages, and undo
mistakes with ease.
The module doesn't sufficiently validate access to Canvas Pages when they are
unpublished.
This vulnerability is mitigated by the fact that Canvas Pages don't have
content moderation enabled by default, and they must be unpublished after
being released, and archiving is not a feature provided by the module yet.
Solution:
Install the latest version:
If you use the Drupal Canvas module, upgrade to Canvas 1.0.4 [3].
Reported By:
* jschref [4]
Fixed By:
* Bálint Kléri (balintbrews) [5]
* Matt Glaman (mglaman) [6]
* Christian López Espínola (penyaskito) [7]
* Tim Plunkett (tim.plunkett) [8]
Coordinated By:
* Alex Bronstein (effulgentsia) [9] of the Drupal Security Team
* Greg Knaddison (greggles) [10] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/31-canvas-security/-/issues/1
[11]
------------------------------------------------------------------------------
Contribution record [12]
[1] https://www.drupal.org/project/canvas
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/canvas/releases/1.0.4
[4] https://www.drupal.org/u/jschref
[5] https://www.drupal.org/u/balintbrews
[6] https://www.drupal.org/u/mglaman
[7] https://www.drupal.org/u/penyaskito
[8] https://www.drupal.org/u/timplunkett
[9] https://www.drupal.org/u/effulgentsia
[10] https://www.drupal.org/u/greggles
[11] https://git.drupalcode.org/security/31-canvas-security/-/issues/1
[12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567229
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006, security-news, 28.01.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.