{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4393", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-18T15:21:32.561Z", "datePublished": "2026-03-26T20:10:40.090Z", "dateUpdated": "2026-03-30T14:54:29.743Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:40.090Z"}, "title": "Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030", "datePublic": "2026-03-18T16:10:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"vendor": "Drupal", "product": "Automated Logout", "collectionURL": "https://www.drupal.org/project/autologout", "repo": "https://git.drupalcode.org/project/autologout", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.<p>This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-030"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Ajit Shinde (ajits)", "type": "remediation developer"}, {"lang": "en", "value": "Jakob P (japerry)", "type": "remediation developer"}, {"lang": "en", "value": "Gareth Alexander (the_g_bomb)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:42:26.474983Z", "id": "CVE-2026-4393", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:29.743Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4393", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:42:26.474983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:43:17.003Z"}}], "cna": {"title": "Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Ajit Shinde (ajits)"}, {"lang": "en", "type": "remediation developer", "value": "Jakob P (japerry)"}, {"lang": "en", "type": "remediation developer", "value": "Gareth Alexander (the_g_bomb)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/autologout", "vendor": "Drupal", "product": "Automated Logout", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.7.0", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.2", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/autologout", "defaultStatus": "unaffected"}], "datePublic": "2026-03-18T16:10:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-030"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.", "supportingMedia": [{"type": "text/html", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.<p>This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:40.090Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4393", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:29.743Z", "dateReserved": "2026-03-18T15:21:32.561Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:40.090Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Drupal Automated Logout permite la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. Este problema afecta a Automated Logout: de 0.0.0 anterior a 1.7.0, de 2.0.0 anterior a 2.0.2."}], "id": "CVE-2026-4393", "lastModified": "2026-03-30T15:16:32.887", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:10.220", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-030"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.7.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Automated Logout", "source": "cna", "vendor": "Drupal"}, "product": "automated_logout", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:51:54.321798+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal Automated Logout module to version 1.7.0 or later, or to version 2.0.2 or later", "If the module is not needed for site functionality, disable or remove it entirely", "Verify that the site\u2019s CSRF protection mechanisms remain enabled and correctly configured"], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Request Forgery"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Automated Logout module in all releases prior to 1.7.0 of the 1.x series and prior to 2.0.2 of the 2.x series.", "description_and_impact": "A Cross\u2011Site Request Forgery vulnerability exists in the Drupal Automated Logout module. The flaw allows an attacker to trigger the logout action without the user\u2019s consent by sending a crafted request. Because the module does not verify the request source, an attacker can force a logged\u2011in user to be logged out from the site.", "risk_and_exploitability": "The flaw can be exploited remotely with a crafted request that a logged\u2011in user clicks or follows. No authentication on the target system is required, but the victim must already be logged in. The EPSS score is not available and not listed in the CISA Known Exploited Vulnerabilities catalog, so a specific risk rating is not provided."}}}}, "created": "2026-03-27T08:32:07.106368+00:00", "updated": "2026-03-27T09:23:35.158046+00:00", "vendors": ["drupal", "drupal$PRODUCT$automated_logout"]}