CVE-2026-8495

Vulnerability

The Date iCal module for Drupal 10/11, versions before 4.0.15, fails to properly check entity or field access when generating iCal feeds. The module also does not sanitize user inputs for these feeds. This missing authorization allows forceful browsing, meaning an attacker can directly access iCal feed routes without proper permission checks. The vulnerability affects all versions from 0.0.0 up to but not including 4.0.15, and is present by default with no configuration required [1].

Exploitation

An attacker with no authentication and no special privileges can exploit this vulnerability simply by requesting the iCal feed routes. The module makes these routes accessible to all anonymous users without any permission checks. No user interaction or complex precondition is required; the attacker only needs network access to the Drupal site. The lack of input sanitization further aids exploitation [1].

Impact

Successful exploitation leads to information disclosure of restricted entity data and fields that were meant to be protected. Since the iCal feeds can expose field contents without access control, an attacker can retrieve sensitive information from entities they are not authorized to view. The impact is primarily confidentiality loss, with no indication of integrity or availability impact in the available references [1].

Mitigation

The fix is available in Date iCal version 4.0.15. Users should upgrade to this latest version immediately. There is no known workaround; upgrading is the sole mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].