Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060
  • Date: Wed, 24 Jun 2026 18:42:31 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=P9V9tY3S; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=jRwp0aFT; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=cpc+lRNa; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org EC03E85277
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org EBBF881EE9
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org EBBF881EE9
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-060

Project: Paragraphs [1]
Date: 2026-June-24
Security risk: *Less critical* 9 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.21.0
CVE IDs: CVE-2026-13240
Description: 
The optional Paragraphs Library module allows the reuse of paragraphs in
multiple places.
The module doesn't sufficiently restrict access to unpublished library items
in lists.
This vulnerability is mitigated by the fact the paragraphs_library module
must be in use, and that an attacker must have access to a list of library
items, such as a field with autocomplete suggestions or a view.

Solution: 
Install the latest version:

* If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs
8.x-1.21 [3]

Reported By: 
* Pierre Rudloff (prudloff) [4] of the Drupal Security Team

Fixed By: 
* Sascha Grossenbacher (berdir) [5]
* Pierre Rudloff (prudloff) [6] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185207-paragraphs-security/-/work_items/1
[9]
------------------------------------------------------------------------------
Contribution record [10]

[1] https://www.drupal.org/project/paragraphs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/paragraphs/releases/8.x-1.21
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/berdir
[6] https://www.drupal.org/u/prudloff
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/prudloff
[9] https://git.drupalcode.org/security/185207-paragraphs-security/-/work_items/1
[10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3604214

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Paragraphs - Less critical - Access bypass - SA-CONTRIB-2026-060, security-news, 24.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang