Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055
  • Date: Wed, 24 Jun 2026 18:37:46 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b="YRfH/nBu"; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=CGNZONbf; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b="j/WCCPGI"; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0C7FF4061A
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org AB8164025C
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org AB8164025C
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-055

Project: AI (Artificial Intelligence) [1]
Date: 2026-June-24
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.2.17 || >=1.3.0 <1.3.8 || >=1.4.0 <1.4.3
CVE IDs: CVE-2026-13235
Description: 
This module enables you to utilize an agent to use Drupal core actions tools
with bypassed access.

Certain Drupal core actions, exposed as agent tools did not have correct
access validation, and some core actions were missing associated access-level
definitions.

This vulnerability is mitigated by the fact that an attacker must have access
to communicate with an affected agent, the site must be configured to expose
the affected tools to non-privileged users.

Solution: 
Install the latest version:

* If you use the AI module 1.2.16, upgrade to AI 1.2.17 [3]
* If you use the AI module 1.3.7 upgrade to AI 1.3.8 [4]
* If you use the AI module 1.4.2 upgrade to AI 1.4.3 [5]

Reported By: 
* AKHIL BABU (akhil babu) [6]
* Kuniyoshi Noguchi (kuninogu) [7]

Fixed By: 
* Artem Dmitriiev (a.dmitriiev) [8]
* Marcus Johansson (marcus_johansson) [9]
* Dezső Biczó (mxr576) [10]
* Valery Lourie (valthebald) [11]

Coordinated By: 
* Bram Driesen (bramdriesen) [12] of the Drupal Security Team
* Greg Knaddison (greggles) [13] of the Drupal Security Team
* Drew Webber (mcdruid) [14] of the Drupal Security Team
* Juraj Nemec (poker10) [15] of the Drupal Security Team

Security
issue: https://git.drupalcode.org/security/3586526-ai-security/-/work_items/1
[16]
------------------------------------------------------------------------------
Contribution record [17]

[1] https://www.drupal.org/project/ai
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai/releases/1.2.17
[4] https://www.drupal.org/project/ai/releases/1.3.8
[5] https://www.drupal.org/project/ai/releases/1.4.3
[6] https://www.drupal.org/u/akhil-babu
[7] https://www.drupal.org/u/kuninogu
[8] https://www.drupal.org/u/admitriiev
[9] https://www.drupal.org/u/marcus_johansson
[10] https://www.drupal.org/u/mxr576
[11] https://www.drupal.org/u/valthebald
[12] https://www.drupal.org/u/bramdriesen
[13] https://www.drupal.org/u/greggles
[14] https://www.drupal.org/u/mcdruid
[15] https://www.drupal.org/u/poker10
[16] https://git.drupalcode.org/security/3586526-ai-security/-/work_items/1
[17] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3600895

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang