Medium severity4.3NVD Advisory· Published Nov 25, 2016· Updated May 6, 2026

CVE-2016-9449

Description

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 may disclose sensitive taxonomy term information to authenticated users due to inconsistent access query tag naming.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 may disclose sensitive taxonomy term information to authenticated users due to inconsistent access query tag naming.

Vulnerability

The taxonomy module in Drupal 7.x before version 7.52 and 8.x before 8.2.3 uses an inconsistent naming convention for access query tags. The tag term_access is used instead of the standard taxonomy_term_access pattern. This inconsistency can cause custom and contributed modules that implement hook_query_alter() or hook_query_TAG_alter() to fail to apply access restrictions to taxonomy term queries, potentially exposing sensitive information [2][3].

Exploitation

An attacker must be a remote authenticated user with any role that can view taxonomy terms. No special privileges are required. The vulnerability is triggered when the site relies on custom access control via query tags; if a module only checks for the standard taxonomy_term_access tag, it will miss queries tagged with term_access, allowing the attacker to retrieve taxonomy terms that should be restricted [3].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information about taxonomy terms. The attacker gains knowledge of term names, descriptions, and possibly other metadata that should be hidden from their role. The impact is limited to information disclosure; no modification or deletion of data is possible [2][3].

Mitigation

The fix is included in Drupal core versions 7.52 and 8.2.3, released on 2016-November-16. Users should upgrade to these versions or later. No workaround is available for sites that cannot immediately upgrade. The vulnerability is rated as Less critical by the Drupal security team [3].

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 7.0, < 7.52	7.52
drupal/corePackagist	>= 8.0, < 8.2.3	8.2.3
drupal/drupalPackagist	>= 8.0, < 8.2.3	8.2.3
drupal/drupalPackagist	>= 7.0, < 7.52	7.52

Affected products

119

Drupal/Drupal117 versions
cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*+ 116 more
- cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.14:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.15:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.16:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.17:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.18:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.19:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.20:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.21:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.22:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.23:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.24:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.25:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.26:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.27:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.28:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.29:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.30:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.31:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.32:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.33:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.34:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.35:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.36:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.37:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.38:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.40:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.41:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.42:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.43:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.44:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.50:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:7.51:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
ghsa-coords2 versions
pkg:composer/drupal/core pkg:composer/drupal/drupal
>= 7.0, < 7.52+ 1 more
- (no CPE)range: >= 7.0, < 7.52
- (no CPE)range: >= 8.0, < 8.2.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.drupal.org/SA-CORE-2016-005nvdPatchVendor AdvisoryWEB
www.securityfocus.com/bid/94367nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-p745-347h-hjfwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-9449ghsaADVISORY
www.debian.org/security/2016/dsa-3718nvdWEB
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-9449.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-9449.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000