Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal core - Critical - PHP object injection - SA-CORE-2026-005

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal core - Critical - PHP object injection - SA-CORE-2026-005


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal core - Critical - PHP object injection - SA-CORE-2026-005
  • Date: Wed, 17 Jun 2026 18:31:13 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=IXF5dPrm; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=UpJvvdRH; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=KgTGSDxn; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org CC58F409DF
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 19935812EE
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 19935812EE
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-core-2026-005

Project: Drupal core [1]
Date: 2026-June-05
Security risk: *Critical* 18 ∕ 25
AC:None/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: PHP object injection

Affected versions: <10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 ||
>=11.3.0 <11.3.12 || >=11.4.0 <11.4.0-rc2 || 11.0.* || 11.1.*
CVE IDs: CVE-2026-55803
Description: 
SA-CORE-2019-003 [3] added protection for fields that store serialized data
to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An
attacker with appropriate JSON:API write permission could potentially inject
a malicious payload in certain rare circumstances, potentially resulting in
PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

* A site must use an entity reference field type that stores a serialized
property.
* An attacker must have permission to write to the entity via JSON:API.

No field type shipped with Drupal core meets these criteria, and contributed
or user-created field types that do appear to be extremely unusual. This
update protects all such fields; no changes are required in contributed
modules.

JSON:API is read-only by default, so sites are only affected if they have
enabled write access (either through administrator configuration or the
installation of a contributed or custom module that enables write access).

.. DrupalSteward protection:

This issue is being protected by Drupal Steward [4]. In this instance, we
believe that the WAF rule will provide mitigation for the common/obvious
vulnerability paths, but may not be able to cover all cases or work for all
hosting providers. Additionally, several other core security advisories
released today are /not/ mitigated by Drupal Steward. Therefore, our
recommended action is still to plan an actual Drupal update within 24 hours
of this release.

Solution: 
Install the latest version:

*Drupal 11*

* If you use Drupal 11.3.x, update to Drupal 11.3.12 [5].
* If you use Drupal 11.2.x, update to Drupal 11.2.14 [6].

*Drupal 10*

* If you use Drupal 10.6.x, update to Drupal 10.6.11 [7].
* If you use Drupal 10.5.x, update to Drupal 10.5.12 [8].

Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do
not receive security coverage. (Drupal 8 [9] and Drupal 9 [10] have both
reached end-of-life.)

Reported By: 
* Michael Maturi (michaelmaturi) [11]

Fixed By: 
* Björn Brala (bbrala) [12]
* Sascha Grossenbacher (berdir) [13]
* Lee Rowlands (larowlan) [14] of the Drupal Security Team
* Dave Long (longwave) [15] of the Drupal Security Team
* Drew Webber (mcdruid) [16] of the Drupal Security Team

Coordinated By: 
* Anna Kalata (akalata) [17] of the Drupal Security Team
* Benji Fisher (benjifisher) [18] of the Drupal Security Team
* Damien McKenna (damienmckenna) [19] of the Drupal Security Team
* David Strauss (david strauss) [20] of the Drupal Security Team
* Neil Drumm (drumm) [21] of the Drupal Security Team
* Greg Knaddison (greggles) [22] of the Drupal Security Team
* Tim Hestenes Lehnen (hestenet) [23]
* Lee Rowlands (larowlan) [24] of the Drupal Security Team
* Dave Long (longwave) [25] of the Drupal Security Team
* Drew Webber (mcdruid) [26] of the Drupal Security Team
* Juraj Nemec (poker10) [27] of the Drupal Security Team
* Ra Mänd (ram4nd) [28] provisional member of the Drupal Security Team
* Jess (xjm) [29] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185158-drupal-security/-/work_items/1
[30]
------------------------------------------------------------------------------
Contribution record [31]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2019-003
[4] https://www.drupal.org/steward
[5] https://www.drupal.org/project/drupal/releases/11.3.12
[6] https://www.drupal.org/project/drupal/releases/11.2.14
[7] https://www.drupal.org/project/drupal/releases/10.6.11
[8] https://www.drupal.org/project/drupal/releases/10.5.12
[9] https://www.drupal.org/psa-2021-06-29
[10] https://www.drupal.org/psa-2023-11-01
[11] https://www.drupal.org/u/michaelmaturi
[12] https://www.drupal.org/u/bbrala
[13] https://www.drupal.org/u/berdir
[14] https://www.drupal.org/u/larowlan
[15] https://www.drupal.org/u/longwave
[16] https://www.drupal.org/u/mcdruid
[17] https://www.drupal.org/u/akalata
[18] https://www.drupal.org/u/benjifisher
[19] https://www.drupal.org/u/damienmckenna
[20] https://www.drupal.org/u/david-strauss
[21] https://www.drupal.org/u/drumm
[22] https://www.drupal.org/u/greggles
[23] https://www.drupal.org/u/hestenet
[24] https://www.drupal.org/u/larowlan
[25] https://www.drupal.org/u/longwave
[26] https://www.drupal.org/u/mcdruid
[27] https://www.drupal.org/u/poker10
[28] https://www.drupal.org/u/ram4nd
[29] https://www.drupal.org/u/xjm
[30] https://git.drupalcode.org/security/185158-drupal-security/-/work_items/1
[31] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3593881

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Drupal core - Critical - PHP object injection - SA-CORE-2026-005, security-news, 17.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang