{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3527", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:55.560Z", "datePublished": "2026-03-26T20:03:05.935Z", "dateUpdated": "2026-03-27T18:14:54.400Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:05.935Z"}, "title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022", "datePublic": "2026-03-04T17:57:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Drupal", "product": "AJAX Dashboard", "collectionURL": "https://www.drupal.org/project/ajax_dashboard", "repo": "https://git.drupalcode.org/project/ajax_dashboard", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-022"}], "credits": [{"lang": "en", "value": "Juraj Nemec (poker10)", "type": "finder"}, {"lang": "en", "value": "Michael Nolan (laboratory.mike)", "type": "remediation developer"}, {"lang": "en", "value": "Bram Driesen (bramdriesen)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:14:37.894325Z", "id": "CVE-2026-3527", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:14:54.400Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3527", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:55.560Z", "datePublished": "2026-03-26T20:03:05.935Z", "dateUpdated": "2026-03-27T18:14:54.400Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:05.935Z"}, "title": "AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022", "datePublic": "2026-03-04T17:57:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Drupal", "product": "AJAX Dashboard", "collectionURL": "https://www.drupal.org/project/ajax_dashboard", "repo": "https://git.drupalcode.org/project/ajax_dashboard", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "3.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-022"}], "credits": [{"lang": "en", "value": "Juraj Nemec (poker10)", "type": "finder"}, {"lang": "en", "value": "Michael Nolan (laboratory.mike)", "type": "remediation developer"}, {"lang": "en", "value": "Bram Driesen (bramdriesen)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:14:37.894325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:13:55.262Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0."}, {"lang": "es", "value": "Vulnerabilidad de autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica en Drupal AJAX Dashboard permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a AJAX Dashboard: desde 0.0.0 anterior a 3.1.0."}], "id": "CVE-2026-3527", "lastModified": "2026-03-27T19:16:44.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:08.757", "references": [{"source": "[email protected]", "url": "https://www.drupal.org/sa-contrib-2026-022"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,3.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AJAX Dashboard", "source": "cna", "vendor": "Drupal"}, "product": "ajax_dashboard", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T20:24:34.805958+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal AJAX Dashboard module to version\u202f3.1.0 or newer.", "Confirm that the dashboard\u2019s access controls enforce authenticated and authorized use only.", "Apply any vendor\u2011issued configuration changes as detailed in the Drupal advisory.", "If upgrading is delayed, block external access to the dashboard page or restrict it to trusted IP ranges.", "Monitor web application logs for attempts to call the dashboard\u2019s privileged endpoints."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "Drupal AJAX Dashboard versions from the initial release 0.0.0 through just before 3.1.0 are affected. All deployments of this module that have not been upgraded to 3.1.0 or later will be vulnerable; no other products or versions are listed.", "description_and_impact": "The vulnerability is a Missing Authentication for a critical function within Drupal AJAX Dashboard. Because the dashboard allows access to sensitive operations without proper authentication checks, an attacker who can reach the web interface can invoke those functions and potentially alter or view data that should be protected. The flaw is characterized as a missing authentication weakness (CWE\u2011306), meaning it directly threatens the confidentiality, integrity, and availability of the application\u2019s protected resources.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium\u2011severity risk, while the EPSS score of less than 1\u202f% suggests the likelihood of exploitation is low. The vulnerability is not cataloged in CISA\u2019s KEV list, implying no known widespread use in the wild yet. Attackers can exploit the flaw from the network via the web interface, provided they can reach the AJAX Dashboard; the flaw does not require administrative credentials to access the page, but does allow the attacker to execute privileged actions once the function is invoked. Because the CVSS and EPSS figures are moderate and low respectively, organizations should treat this as a medium\u2011risk issue that still warrants timely remediation."}}}}, "created": "2026-03-27T08:32:17.214797+00:00", "updated": "2026-03-27T20:26:07.089607+00:00", "vendors": ["drupal", "drupal$PRODUCT$ajax_dashboard"]}