CVE-2022-25274
Description
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content. This vulnerability only affects sites using Drupal's revision system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal 9.3's revision access API bypasses permissions, allowing users with general revision access to view restricted node and media revisions.
Vulnerability
Description Drupal 9.3 introduced a generic entity access API for entity revisions, but it was not fully integrated with existing permission checks. This incomplete integration allows an access bypass for users who have permission to use revisions generally, but lack access to specific node and media items [2].
Exploitation
An attacker with a Drupal account that has the 'view revisions' permission for content types can access revisions of individual nodes or media items they would otherwise be restricted from viewing. The attack does not require special privileges beyond typical revision access, and it only affects sites that use Drupal's revision system [3].
Impact
Successful exploitation enables unauthorized reading of revision data, potentially exposing sensitive information contained in previous versions of content. The vulnerability is rated moderately critical [3].
Mitigation
The issue is fixed in Drupal 9.3.12. Users running Drupal 9.3 should update immediately. Earlier versions of Drupal (including Drupal 7 and 8) are not affected [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 9.3.0, < 9.3.12 | 9.3.12 |
Affected products
3- osv-coords2 versions
>= 9.3.0, < 9.3.12+ 1 more
- (no CPE)range: >= 9.3.0, < 9.3.12
- (no CPE)range: >= 9.3.0, < 9.3.12
- Drupal/Corev5Range: 9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7jr4-hgqx-vwgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25274ghsaADVISORY
- www.drupal.org/sa-core-2022-009ghsaWEB
News mentions
0No linked articles in our index yet.