Moderate severityNVD Advisory· Published Apr 26, 2023· Updated Feb 3, 2025

CVE-2022-25278

Description

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal core form API incorrectly evaluates element access, potentially allowing users to alter unauthorized data in custom forms.

CVE-2022-25278 is an access bypass vulnerability in Drupal core's Form API. Under certain conditions, the API evaluates form element access incorrectly, which may allow a user to modify data they should not have access to [2]. The issue does not affect forms provided by Drupal core itself, but custom or contributed modules and themes that define forms may be vulnerable [4].

To exploit this vulnerability, an attacker likely needs to have a user account with some level of access, as the flaw lies in how access checks are evaluated for form elements. The attack surface is limited to forms that implement custom access logic, making exploitation dependent on the specific implementation [2].

If successfully exploited, an attacker could alter data in ways that bypass intended permissions, potentially leading to privilege escalation or data corruption. The severity is rated moderately critical by Drupal's security team [4].

Mitigation is available through updates: Drupal 9.4 users should upgrade to 9.4.3, and Drupal 9.3 users to 9.3.19. All earlier versions of Drupal 9 and 8 are end-of-life and do not receive security coverage. Drupal 7 is not affected [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 8.0.0, < 9.3.19	9.3.19
drupal/corePackagist	>= 9.4.0, < 9.4.3	9.4.3

Affected products

osv-coords2 versions
pkg:bitnami/drupal pkg:composer/drupal/core
>= 8.0.0, < 9.3.19+ 1 more
- (no CPE)range: >= 8.0.0, < 9.3.19
- (no CPE)range: >= 8.0.0, < 9.3.19
Drupal/Corev5
Range: 9.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-cfh2-7f6h-3m85ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-25278ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2022-25278.yamlghsaWEB
www.drupal.org/sa-core-2022-013ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000