AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

Root

Cause

The AI Logging sub-module, part of the Drupal AI module, provides logging of AI requests and responses for debugging and auditing. However, a missing or insufficient authorization check in the preview listing view allows users without the proper permission to view the list of logged entries [1][2]. The Drupal security advisory notes that full log details remain properly protected and API keys are never logged, so the exposure is limited to metadata visible in the listing [2].

Exploitation

This vulnerability can be exploited by any user who can access the preview listing page of the AI logs. No special privileges are required beyond the ability to browse the site, making it a Forceful Browsing issue [1]. The vulnerability only affects sites that have the AI Logging sub-module enabled and have 'Log requests' turned on in its configuration page [2].

Impact

An attacker who gains access to the log listing can see information about AI requests made on the site, such as timestamps and possibly the prompts or responses metadata. While this does not expose sensitive API keys, it could leak details about admin or user interactions with AI features, potentially aiding in reconnaissance [2].

Mitigation

The issue is fixed in AI module version 1.0.3. The recommended action is to upgrade to that version, which includes an update hook that adjusts the view to require the appropriate 'view ai log' permission. As a workaround, the AI Logging sub-module can be disabled entirely, or the view's access check can be manually updated [2].