VYPR
← All advisories
High severityNVD Advisory· Published Feb 11, 2022· Updated Aug 4, 2024

CVE-2020-13677

CVE-2020-13677

Description

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal core JSON:API module fails to check field-level access on relatable resource types, allowing unauthorized content access.

Vulnerability

The JSON:API module in Drupal core versions 8.0.0 through 8.9.18, 9.1.0 through 9.1.12, and 9.2.0 through 9.2.5 does not properly restrict access to content when enumerating relatable resource types. Specifically, the getRelatableResourceTypes() and getRelatableResourceTypesByField() methods omitted a check for disabled fields ($field->isFieldEnabled()), which could expose relationships that the site administrator intended to restrict [3][4]. Sites without the JSON:API module enabled are unaffected [1][2].

Exploitation

An attacker does not need authentication; they only need the ability to send HTTP requests to the Drupal site's JSON:API endpoints. By crafting requests targeting resource relationship fields, the attacker can discover or access content that should be inaccessible based on field configuration (e.g., disabled relationship fields). No user interaction or special privileges are required [2][4]. The vulnerability is triggered during normal API responses when the module enumerates relatable resource types for a given resource.

Impact

Successful exploitation leads to an access bypass: an unauthenticated attacker can read or enumerate content that the site administrator has tried to hide by disabling relationship fields. This constitutes an information disclosure vulnerability of moderate severity, potentially exposing private or unpublished content metadata and relationships [4]. The attacker does not gain write or execution capabilities.

Mitigation

Drupal released fixes on 2021-12-15 (see SA-CORE-2021-010). Administrators should update to Drupal 8.9.19, 9.1.13, or 9.2.6, depending on their version [4]. Versions prior to 8.9.x and 9.1.x are end-of-life and no longer receive security coverage; upgrading to a supported branch is required. There is no workaround if the JSON:API module must remain active—only the patched versions resolve the flaw [4].

References
  1. GitHub - drupal/core: Subtree split of drupal's /core directory
  2. NVD - CVE-2020-13677
  3. SA-CORE-2021-010 by bradjones1, xjm, bbrala, gabesullice, Wim Leers, … · drupal/core@7a9bef4
  4. Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 8.0.0, < 8.9.198.9.19
drupal/corePackagist
>= 9.1.0, < 9.1.139.1.13
drupal/corePackagist
>= 9.2.0, < 9.2.69.2.6

Affected products

3

Patches

1
7a9bef4b4750

SA-CORE-2021-010 by bradjones1, xjm, bbrala, gabesullice, Wim Leers, e0ipso

https://github.com/drupal/corexjmSep 14, 2021via ghsa
commit
1 file changed · +2 2
  • modules/jsonapi/src/ResourceType/ResourceType.php+2 2 modified
    @@ -405,7 +405,7 @@ public function getRelatableResourceTypes() {
       $this->relatableResourceTypesByField = array_reduce(array_map(function (ResourceTypeRelationship $field) {
         return [$field->getPublicName() => $field->getRelatableResourceTypes()];
       }, array_filter($this->fields, function (ResourceTypeField $field) {
-        return $field instanceof ResourceTypeRelationship;
+        return $field instanceof ResourceTypeRelationship && $field->isFieldEnabled();
       })), 'array_merge', []);
     }
     return $this->relatableResourceTypesByField;
@@ -423,7 +423,7 @@ public function getRelatableResourceTypes() {
    * @see self::getRelatableResourceTypes()
    */
   public function getRelatableResourceTypesByField($field_name) {
-    return ($field = $this->getFieldByPublicName($field_name)) && $field instanceof ResourceTypeRelationship
+    return ($field = $this->getFieldByPublicName($field_name)) && $field instanceof ResourceTypeRelationship && $field->isFieldEnabled()
       ? $field->getRelatableResourceTypes()
       : [];
   }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.