CVE-2024-45440
Description
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-45440: Drupal 11.x-dev exposes full server path via core/authorize.php when a non-existent file is used for hash_salt.
Vulnerability
CVE-2024-45440 is a Full Path Disclosure vulnerability in Drupal 11.x-dev. The issue resides in core/authorize.php, which reveals the full server path when the hash_salt configuration value is set to the result of file_get_contents for a file that does not exist [2]. This occurs even when error logging is configured to 'None', bypassing typical protection mechanisms.
Exploitation
An attacker can exploit this by sending a request to the vulnerable endpoint core/authorize.php on a Drupal 11.x-dev instance where the hash_salt is configured incorrectly (e.g., pointing to a missing file). No authentication is required. A proof-of-concept exploit has been publicly released [4], demonstrating how to extract the full path from the error message.
Impact
Successful exploitation reveals the full server filesystem path (e.g., /var/www/html/sites/default/settings.php). While this alone does not allow code execution or data theft, it aids attackers in further reconnaissance by confirming the installation path, which can be used for more targeted attacks such as local file inclusion or directory traversal.
Mitigation
Drupal has released security updates in versions 10.3.6 [1] and 11.0.5 [3] that address this vulnerability. Users running Drupal 11.x-dev or any affected branch should upgrade to these patched versions immediately. No workarounds have been provided other than correcting the hash_salt configuration or upgrading.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/drupalPackagist | >= 10.3.0, < 10.3.6 | 10.3.6 |
drupal/drupalPackagist | >= 11.0.0, < 11.0.5 | 11.0.5 |
drupal/core-recommendedPackagist | >= 10.3.0, < 10.3.6 | 10.3.6 |
drupal/core-recommendedPackagist | >= 11.0.0, < 11.0.5 | 11.0.5 |
drupal/corePackagist | >= 10.3.0, < 10.3.6 | 10.3.6 |
drupal/corePackagist | >= 11.0.0, < 11.0.5 | 11.0.5 |
drupal/drupalPackagist | >= 8.0.0, < 10.2.9 | 10.2.9 |
drupal/core-recommendedPackagist | >= 8.0.0, < 10.2.9 | 10.2.9 |
drupal/corePackagist | >= 8.0.0, < 10.2.9 | 10.2.9 |
Affected products
4- ghsa-coords3 versions
>= 10.3.0, < 10.3.6+ 2 more
- (no CPE)range: >= 10.3.0, < 10.3.6
- (no CPE)range: >= 10.3.0, < 10.3.6
- (no CPE)range: >= 10.3.0, < 10.3.6
- Drupal/Drupal corev5Range: v11.x-dev
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-mg8j-w93w-xjgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-45440ghsaADVISORY
- github.com/github/advisory-database/pull/4827ghsaWEB
- senscybersecurity.nl/CVE-2024-45440-ExplainedghsaWEB
- www.drupal.org/project/drupal/issues/3457781ghsaWEB
- www.drupal.org/project/drupal/releases/10.2.9ghsaWEB
- www.drupal.org/project/drupal/releases/10.3.6ghsaWEB
- www.drupal.org/project/drupal/releases/11.0.5ghsaWEB
- www.exploit-db.com/exploits/52266ghsaWEB
- senscybersecurity.nl/CVE-2024-45440-Explained/mitre
News mentions
0No linked articles in our index yet.