Access bypass in Drupal Core 8/9
Description
Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Access bypass vulnerability in Drupal Core allows attackers to exploit HTML rendering of forms to bypass access controls, affecting versions 8.8.x before 8.8.10, 8.9.x before 8.9.6, and 9.0.x before 9.0.6.
Vulnerability
An access bypass vulnerability exists in Drupal Core's form handling, where the way HTML is rendered for affected forms can be leveraged by an attacker to bypass access controls. This issue affects Drupal Core versions 8.8.x prior to 8.8.10, 8.9.x prior to 8.9.6, and 9.0.x prior to 9.0.6 [2].
Exploitation
An attacker can exploit this vulnerability by crafting a request that takes advantage of the HTML rendering process for forms. The exact exploitation steps are not detailed in public references, but the vulnerability requires the attacker to have the ability to interact with affected forms, potentially as an unauthenticated user depending on the form's accessibility [2].
Impact
Successful exploitation allows an attacker to bypass access restrictions, potentially gaining unauthorized access to functionality or data that should be protected. The impact is a breach of access control, leading to information disclosure or unauthorized actions [2].
Mitigation
The vulnerability is fixed in Drupal Core versions 8.8.10, 8.9.6, and 9.0.6. Users should upgrade to these or later versions. No workarounds are documented in the available references [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 8.8.10 | 8.8.10 |
drupal/corePackagist | >= 8.9.0, < 8.9.6 | 8.9.6 |
drupal/corePackagist | >= 9.0.0, < 9.0.6 | 9.0.6 |
drupal/drupalPackagist | >= 8.0.0, < 8.8.10 | 8.8.10 |
drupal/drupalPackagist | >= 8.9.0, < 8.9.6 | 8.9.6 |
drupal/drupalPackagist | >= 9.0.0, < 9.0.6 | 9.0.6 |
Affected products
4- osv-coords3 versions
>= 8.8.0, < 8.8.10+ 2 more
- (no CPE)range: >= 8.8.0, < 8.8.10
- (no CPE)range: >= 8.0.0, < 8.8.10
- (no CPE)range: >= 8.0.0, < 8.8.10
- Drupal/Corev5Range: 8.8.x
Patches
3d4be028d81fbSA-CORE-2020-009 by _nzr_, markwittens, nathandentzau, marcaddeo, janusman, larowlan, David_Rothstein, Wim Leers, vijaycs85, mcdruid, Heine, pandaski, xjm, tim.plunkett
2 files changed · +4 −2
lib/Drupal/Core/Form/FormBuilder.php+2 −1 modified@@ -860,7 +860,8 @@ protected function buildFormAction() { // https://www.drupal.org/node/2504709. $parsed = UrlHelper::parse($request_uri); unset($parsed['query'][static::AJAX_FORM_REQUEST], $parsed['query'][MainContentViewSubscriber::WRAPPER_FORMAT]); - return $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + $action = $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + return UrlHelper::filterBadProtocol($action); } /**
modules/user/src/Plugin/Block/UserLoginBlock.php+2 −1 modified@@ -2,6 +2,7 @@ namespace Drupal\user\Plugin\Block; +use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Access\AccessResult; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Security\TrustedCallbackInterface; @@ -155,7 +156,7 @@ public function build() { public static function renderPlaceholderFormAction() { return [ '#type' => 'markup', - '#markup' => Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString(), + '#markup' => UrlHelper::filterBadProtocol(Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString()), '#cache' => ['contexts' => ['url.path', 'url.query_args']], ]; }
3184fa4b2f3bSA-CORE-2020-009 by _nzr_, markwittens, nathandentzau, marcaddeo, janusman, larowlan, David_Rothstein, Wim Leers, vijaycs85, mcdruid, Heine, pandaski, xjm, tim.plunkett
2 files changed · +4 −2
lib/Drupal/Core/Form/FormBuilder.php+2 −1 modified@@ -861,7 +861,8 @@ protected function buildFormAction() { // https://www.drupal.org/node/2504709. $parsed = UrlHelper::parse($request_uri); unset($parsed['query'][static::AJAX_FORM_REQUEST], $parsed['query'][MainContentViewSubscriber::WRAPPER_FORMAT]); - return $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + $action = $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + return UrlHelper::filterBadProtocol($action); } /**
modules/user/src/Plugin/Block/UserLoginBlock.php+2 −1 modified@@ -2,6 +2,7 @@ namespace Drupal\user\Plugin\Block; +use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Access\AccessResult; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Security\TrustedCallbackInterface; @@ -155,7 +156,7 @@ public function build() { public static function renderPlaceholderFormAction() { return [ '#type' => 'markup', - '#markup' => Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString(), + '#markup' => UrlHelper::filterBadProtocol(Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString()), '#cache' => ['contexts' => ['url.path', 'url.query_args']], ]; }
58330ba58d1aSA-CORE-2020-009 by _nzr_, markwittens, nathandentzau, marcaddeo, janusman, larowlan, David_Rothstein, Wim Leers, vijaycs85, mcdruid, Heine, pandaski, xjm, tim.plunkett
2 files changed · +4 −2
lib/Drupal/Core/Form/FormBuilder.php+2 −1 modified@@ -861,7 +861,8 @@ protected function buildFormAction() { // https://www.drupal.org/node/2504709. $parsed = UrlHelper::parse($request_uri); unset($parsed['query'][static::AJAX_FORM_REQUEST], $parsed['query'][MainContentViewSubscriber::WRAPPER_FORMAT]); - return $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + $action = $parsed['path'] . ($parsed['query'] ? ('?' . UrlHelper::buildQuery($parsed['query'])) : ''); + return UrlHelper::filterBadProtocol($action); } /**
modules/user/src/Plugin/Block/UserLoginBlock.php+2 −1 modified@@ -2,6 +2,7 @@ namespace Drupal\user\Plugin\Block; +use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Access\AccessResult; use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Security\TrustedCallbackInterface; @@ -155,7 +156,7 @@ public function build() { public static function renderPlaceholderFormAction() { return [ '#type' => 'markup', - '#markup' => Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString(), + '#markup' => UrlHelper::filterBadProtocol(Url::fromRoute('<current>', [], ['query' => \Drupal::destination()->getAsArray(), 'external' => FALSE])->toString()), '#cache' => ['contexts' => ['url.path', 'url.query_args']], ]; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-m6q5-wv4x-fv6hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13668ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13668.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13668.yamlghsaWEB
- github.com/drupal/core/commit/3184fa4b2f3b65b44884b5e858cdc7794d34b4c8ghsaWEB
- github.com/drupal/core/commit/58330ba58d1ac6f1a0a549e8dbde8a3e094bf4fbghsaWEB
- github.com/drupal/core/commit/d4be028d81fb6b067513d788b60c3e6fc8fbd0a2ghsaWEB
- www.drupal.org/sa-core-2020-009ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.