[IT-SecNots] [Security-news] Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2026-017

Project: Drupal Canvas [1]
Date: 2026-February-25
Security risk: *Moderately critical* 11 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Server-side request forgery, Information disclosure

Affected versions: <1.1.1
CVE IDs: CVE-2026-3216
Description: 
This module enables you to easily theme and build an entire website using
only their browser, without the need to write code beyond basic JSX and CSS.
Content creators are able to compose content on any part of the page without
relying on developers.

The project has a hidden sub-module, *Drupal Canvas AI*,  which is disabled
by default. It is typically enabled as a dependency by Drupal Recipes or
enabled directly via deployment scripts (e.g., Drush). When the submodule is
enabled, the following vulnerability is exposed.

The module doesn't sufficiently sanitize user-supplied data via crafted API
requests within the messages JSON payload.

It is mitigated by the fact that an attacker must have a role with the
permission "use Drupal Canvas AI".

*How the Canvas AI sub-module gets enabled:* As a hidden submodule, canvas_ai
is not intended for manual activation via the UI. It is designed to be pulled
in as a dependency by Drupal Recipes or enabled directly via deployment
scripts (e.g., Drush).

Solution: 
Install the latest version:

 * If you use the Drupal Canvas module, upgrade to Drupal Canvas 1.1.1  [3].

Sites witthout the hidden submodule enabled are not vulnerable. The module is
hidden from the UI module list, but admins can verify its status via the
command line: drush config:get core.extension | grep canvas_ai

Reported By: 
 * Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By: 
 * Bálint Kléri (balintbrews) [5]
 * Ignacio Sánchez Holgueras (isholgueras) [6]
 * Drew Webber (mcdruid) [7] of the Drupal Security Team
 * Narendra Singh Rathore (narendrar) [8]
 * Christian López Espínola (penyaskito) [9]
 * Tim Plunkett (tim.plunkett) [10]

Coordinated By: 
 * Greg Knaddison (greggles) [11] of the Drupal Security Team
 * Drew Webber (mcdruid) [12] of the Drupal Security Team
 * Juraj Nemec (poker10) [13] of the Drupal Security Team
 * Jess  (xjm) [14] of the Drupal Security Team

------------------------------------------------------------------------------
Contribution record [15]

[1] https://www.drupal.org/project/canvas
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/canvas/releases/1.1.1
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/balintbrews
[6] https://www.drupal.org/u/isholgueras
[7] https://www.drupal.org/u/mcdruid
[8] https://www.drupal.org/u/narendrar
[9] https://www.drupal.org/u/penyaskito
[10] https://www.drupal.org/u/timplunkett
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/mcdruid
[13] https://www.drupal.org/u/poker10
[14] https://www.drupal.org/u/xjm
[15]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3575773

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at