it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
- Date: Wed, 24 Jun 2026 18:43:17 +0000
- Archived-at: <>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Fg7qQ8Qf; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=SiNFIhrG; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=3C3erDQh; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8CF3484970
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 14919606B1
- Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 14919606B1
- Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
- List-archive: <>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-061
Project: Paragraphs [1]
Date: 2026-June-24
Security risk: *Moderately critical* 11 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.21.0
CVE IDs: CVE-2026-13241
Description:
The optional Paragraphs Library module allows the reuse of paragraphs in
multiple places.
The module doesn't sufficiently restrict access to direct child paragraphs of
library items through API endpoints.
This vulnerability is mitigated by the fact the paragraphs_library module
must be in use and general write access to paragraphs through another module
must be allowed.
Solution:
Install the latest version:
* If you use the Paragraphs module for Drupal 8.x, upgrade to Paragraphs
8.x-1.21 [3]
Reported By:
* Mustafa Ahmed (mustafa007) [4]
Fixed By:
* Sascha Grossenbacher (berdir) [5]
Coordinated By:
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team
Security
issue:
https://git.drupalcode.org/security/185093-paragraphs-security/-/work_items/1
[8]
------------------------------------------------------------------------------
Contribution record [9]
[1] https://www.drupal.org/project/paragraphs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/paragraphs/releases/8.x-1.21
[4] https://www.drupal.org/u/mustafa007
[5] https://www.drupal.org/u/berdir
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10
[8] https://git.drupalcode.org/security/185093-paragraphs-security/-/work_items/1
[9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3592628
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061, security-news, 24.06.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.