Changeflow GovPing Data Privacy & Cybersecurity Drupal Automated Logout Extension Vulnerability...
Priority review Notice Added Final

Drupal Automated Logout Extension Vulnerability Allows File Manipulation

Favicon for wid.cert-bund.de CERT-Bund Security Advisories
Published March 18th, 2026
Detected March 19th, 2026
Email

Summary

CERT-Bund has issued a security advisory regarding a vulnerability in Drupal's Automated Logout Extension. The vulnerability allows remote, anonymous attackers to manipulate files. Affected versions include Open Source Drupal Automated Logout <1.7.0 and <2.0.2.

View original document View source feed page

What changed

CERT-Bund has released security advisory WID-SEC-2026-0781 detailing a critical vulnerability in the Drupal Automated Logout Extension. This flaw, with a CVSS Base Score of 5.3, enables remote, anonymous attackers to manipulate files on affected systems. The advisory specifically identifies Open Source Drupal Automated Logout versions prior to 1.7.0 and prior to 2.0.2 as vulnerable.

Organizations utilizing Drupal with the affected Automated Logout Extension must take immediate action to mitigate this risk. While the advisory indicates mitigation is available, specific steps are not detailed in this summary. It is crucial for IT security teams to identify the affected Drupal installations, apply available patches or workarounds, and monitor for any signs of exploitation. Failure to address this vulnerability could lead to unauthorized file manipulation and potential compromise of system integrity.

What to do next

  1. Identify all Drupal installations using the Automated Logout Extension.
  2. Apply available patches or mitigation strategies for affected versions (<1.7.0 and <2.0.2).
  3. Monitor systems for any signs of unauthorized file manipulation.

Source document (simplified)

[WID-SEC-2026-0781] Drupal Automated Logout Extension: Schwachstelle ermöglicht Manipulation von Dateien CVSS Base Score 5.3 (mittel) CVSS Temporal Score 4.6 (mittel) Remoteangriff ja Datum 18.03.2026 Stand 19.03.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

  • Sonstiges
  • UNIX
  • Windows

Produktbeschreibung

Drupal ist ein freies Content-Management-System, basierend auf der Scriptsprache PHP und einer SQL-Datenbank. Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.

Produkte

18.03.2026
- Open Source Drupal Automated Logout <1.7.0

  • Open Source Drupal Automated Logout <2.0.2

Angriff

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in der Automated Logout Extension von Drupal ausnutzen, um Dateien zu manipulieren. CVE Informationen Versionshistorie Feedback zum Advisory geben

Related changes

Favicon for wid.cert-bund.de Xpdf Vulnerability Allows Denial of Service
Routine Mar 19, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Jenkins Vulnerabilities Allow Code Execution and Info Disclosure
Priority review Mar 19, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Dell Secure Connect Gateway Policy Manager Critical Vulnerabilities
Urgent Mar 19, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)
Urgent Mar 20, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.ukri.org UKRI Funding for Secure Software Projects
Priority review Mar 20, 2026 UKRI Funding Opportunities (All Councils) Trade & Sanctions
Favicon for edpb.europa.eu EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments
Priority review Mar 20, 2026 EDPB Documents (GDPR) Data Privacy & Cybersecurity

Source

Favicon for wid.cert-bund.de
CERT-Bund Security Advisories wid.cert-bund.de/content/public/securityAdvisory/rss
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-Bund
Published
March 18th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
WID-SEC-2026-0781

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Software Vulnerability Management
Geographic scope
Germany DE

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Data Security Software Vulnerabilities

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 212 Consumer Protection 35 Courts & Legal 255 Data Privacy & Cybersecurity 59 Defense & National Security 48 Education 20 Energy 102 Environment 82 Government & Legislation 240 Healthcare 116 Housing 15 Immigration 9 Insurance 58 Labor & Employment 110 Pharma & Drug Safety 77 Securities & Markets 73 Tax 54 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-Bund Security Advisories publishes new changes.

Free. Unsubscribe anytime.