Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Description
Incorrect Authorization vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal core's Actions system has an incorrect authorization vulnerability that allows users to perform unauthorized bulk operations on content, bypassing individual field-level permissions.
Vulnerability
Description CVE-2025-31673 is an incorrect authorization vulnerability in Drupal core's Actions system, specifically affecting bulk operations on content pages like /admin/content. The bug allows users to modify certain fields through bulk actions (e.g., making content sticky, promoting to front page, publishing/unpublishing) without having the individual field-level permissions that would normally be required. This occurs because the core Actions system fails to properly enforce permissions for these bulk operations, effectively bypassing the intended access controls [2].
Exploitation
An attacker must have access to the admin content page or a custom view that utilizes bulk operations, and must already have permission to edit nodes. The vulnerability is mitigated by these prerequisites, but once met, the attacker can select multiple nodes and apply bulk actions that should be restricted. For example, a user with only edit permission on specific fields could still change the sticky or published status of content using bulk operations [3].
Impact
Successful exploitation allows an attacker to forcibly modify content attributes such as sticky, promoted, published, or unpublish status across multiple nodes simultaneously. This could lead to unauthorized changes in content visibility and presentation, potentially disrupting site operations or causing defacement. The vulnerability does not grant full administrative access but compromises the integrity of content management [2][3].
Mitigation
The vulnerability has been addressed in Drupal core versions: 10.3.13, 10.4.3, 11.0.12, and 11.1.3. Users running older versions should update immediately. Drupal versions prior to 10.3 are end-of-life and no longer receive security updates. Note that the bulk actions for sticky, promote, publish, and related operations now require the "Administer content" permission in the fixed releases [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.0.0, < 10.3.13 | 10.3.13 |
drupal/corePackagist | >= 10.4.0, < 10.4.3 | 10.4.3 |
drupal/corePackagist | >= 11.0.0, < 11.0.12 | 11.0.12 |
drupal/corePackagist | >= 11.1.0, < 11.1.3 | 11.1.3 |
Affected products
4- osv-coords2 versions
>= 8.0.0, < 10.4.3+ 1 more
- (no CPE)range: >= 8.0.0, < 10.4.3
- (no CPE)range: >= 8.0.0, < 10.3.13
- Drupal/Drupal corev5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wpp8-fjgf-pwc7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-31673ghsaADVISORY
- www.drupal.org/sa-core-2025-002ghsaWEB
News mentions
1- Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002Drupal Security Advisories · Feb 19, 2025