Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056
  • Date: Wed, 24 Jun 2026 18:38:34 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Htd5etzc; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=KvqhT9gG; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=l8fu85Nb; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org A9BE0427A4
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CC67460739
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org CC67460739
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-056

Project: AI Agents [1]
Date: 2026-June-24
Security risk: *Less critical* 9 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.1.4 || >=1.2.0 <1.2.5 || >=1.3.0 <1.3.1
CVE IDs: CVE-2026-13236
Description: 
This module provides the entity type and runtime for Drupal AI Agents,
enabling agents to use tools.

The module does not sufficiently check the required permissions when a tool
loads content entities.

This vulnerability is mitigated by the fact that an agent must be configured
to use the affected tool, and an attacker must have access to that agent.

Solution: 
Install the latest version:

* If you use the AI Agents module 1.1.3, upgrade to AI Agents 1.1.4 [3]
* If you use the AI Agents module 1.2.4 upgrade to AI Agents 1.2.5 [4]
* If you use the AI Agents module 1.3.0 upgrade to AI Agents 1.3.1 [5]

Reported By: 
* Kuniyoshi Noguchi (kuninogu) [6]

Fixed By: 
* Artem Dmitriiev (a.dmitriiev) [7]
* AKHIL BABU (akhil babu) [8]
* harivansh sharma (harivansh) [9]
* Kuniyoshi Noguchi (kuninogu) [10]
* Marcus Johansson (marcus_johansson) [11]

Coordinated By: 
* Bram Driesen (bramdriesen) [12] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/3586041-ai_agents-security/-/work_items/1
[13]
------------------------------------------------------------------------------
Contribution record [14]

[1] https://www.drupal.org/project/ai_agents
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ai_agents/releases/1.1.4
[4] https://www.drupal.org/project/ai_agents/releases/1.2.5
[5] https://www.drupal.org/project/ai_agents/releases/1.3.1
[6] https://www.drupal.org/u/kuninogu
[7] https://www.drupal.org/u/admitriiev
[8] https://www.drupal.org/u/akhil-babu
[9] https://www.drupal.org/u/harivansh
[10] https://www.drupal.org/u/kuninogu
[11] https://www.drupal.org/u/marcus_johansson
[12] https://www.drupal.org/u/bramdriesen
[13] https://git.drupalcode.org/security/3586041-ai_agents-security/-/work_items/1
[14] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3605522

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang