Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
  • Date: Wed, 1 Jul 2026 17:21:58 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=NfPWnv1g; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=lLFFx86M; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=QvyrPDSH; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 018F641C1F
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 2410F80E5F
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 2410F80E5F
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-067

Project: FlowDrop [1]
Date: 2026-July-01
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <1.6.0
CVE IDs: CVE-2026-58589
Description: 
This module enables you to test and run AI-driven workflows interactively
through a chat interface.

The module doesn't sufficiently enforce permissions on certain endpoints.
Attackers may be able to trigger workflow execution (incurring LLM spend and
tool side effects) or send messages into other user's sessions.

This vulnerability is mitigated by the fact that an attacker must have the
permission "View any session", which is not granted to anonymous or
authenticated users by default.

Solution: 
Install the latest version:

* If you use the FlowDrop module for Drupal 11.x, upgrade to FlowDrop 1.6.0
[3]

Driving a session now additionally requires the "Execute session workflow"
permission.

Reported By: 
* Aincient Labs (aincient labs) [4]

Fixed By: 
* Shibin Das (d34dman) [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Neil Drumm (drumm) [7] of the Drupal Security Team
* Juraj Nemec (poker10) [8] of the Drupal Security Team
* Dave Long (longwave) [9] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/3592076-flowdrop-security/-/work_items/1
[10]
------------------------------------------------------------------------------
Contribution record [11]

[1] https://www.drupal.org/project/flowdrop
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/flowdrop/releases/1.6.0
[4] https://www.drupal.org/u/aincient-labs
[5] https://www.drupal.org/u/d34dman
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/drumm
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/longwave
[10] https://git.drupalcode.org/security/3592076-flowdrop-security/-/work_items/1
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3598233

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067, security-news, 01.07.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang