{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3573", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T21:17:43.868Z", "datePublished": "2026-03-26T20:10:13.350Z", "dateUpdated": "2026-03-30T14:54:43.980Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}, "title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "datePublic": "2026-03-11T16:33:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"vendor": "Drupal", "product": "AI (Artificial Intelligence)", "collectionURL": "https://www.drupal.org/project/ai", "repo": "https://git.drupalcode.org/project/ai", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "credits": [{"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "finder"}, {"lang": "en", "value": "Artem Dmitriiev (a.dmitriiev)", "type": "remediation developer"}, {"lang": "en", "value": "Abhisek Mazumdar (abhisekmazumdar)", "type": "remediation developer"}, {"lang": "en", "value": "Dave Long (longwave)", "type": "remediation developer"}, {"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "remediation developer"}, {"lang": "en", "value": "Valery Lourie (valthebald)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:40:38.581589Z", "id": "CVE-2026-3573", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:43.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3573", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:40:38.581589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:40:50.719Z"}}], "cna": {"title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Artem Dmitriiev (a.dmitriiev)"}, {"lang": "en", "type": "remediation developer", "value": "Abhisek Mazumdar (abhisekmazumdar)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Valery Lourie (valthebald)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ai", "vendor": "Drupal", "product": "AI (Artificial Intelligence)", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ai", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T16:33:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3573", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:43.980Z", "dateReserved": "2026-03-04T21:17:43.868Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:13.350Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal IA (Inteligencia Artificial) permite la inyecci\u00f3n de recursos. Este problema afecta a IA (Inteligencia Artificial): desde 0.0.0 antes de 1.1.11, desde 1.2.0 antes de 1.2.12."}], "id": "CVE-2026-3573", "lastModified": "2026-03-30T15:16:32.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.557", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-028"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.12)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "AI (Artificial Intelligence)", "source": "cna", "vendor": "Drupal"}, "product": "artificial_intelligence", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:52:09.556350+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal AI to version 1.1.11 or later, or to 1.2.12 or later, to eliminate the incorrect authorization flaw.", "Confirm that, after upgrading, resource handling is no longer exposed to users without appropriate permissions.", "If an upgrade cannot be performed immediately, restrict permissions for the Drupal AI module and monitor for anomalous resource injection attempts."], "summary": {"action": "Patch Update", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Drupal AI (Artificial Intelligence) is affected. Vulnerable releases include 0.0.0 through 1.1.10, and 1.2.0 through 1.2.11.", "description_and_impact": "The vulnerability is an incorrect authorization flaw that permits attackers to inject arbitrary resources into the Drupal AI (Artificial Intelligence) module. This flaw, categorized as CWE\u2011863, can lead to the inadvertent exposure of sensitive data that should have been protected by access controls.", "risk_and_exploitability": "EPSS data is unavailable and the issue is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently documented. It is inferred that the likely attack vector involves exploiting incorrect authorization, allowing a user with valid or spoofed credentials to perform resource injection that exposes confidential information. Because the flaw depends on bypassing module-level access checks, an attacker who can authenticate to the site (or compromise an authenticated user) can send crafted requests to trigger the injection without needing elevated privileges. The overall risk is moderate, as the vulnerability can affect confidentiality but does not enable broader system compromise."}}}}, "created": "2026-03-27T08:32:09.021401+00:00", "updated": "2026-03-27T09:23:37.313173+00:00", "vendors": ["drupal", "drupal$PRODUCT$artificial_intelligence"]}