Drupal Core Cache Poisoning and Open Redirect Vulnerability (CVE-2026-55806)
A less critical cache poisoning and open redirect vulnerability in Drupal core's rebuild.php front controller could allow attackers to poison caches or redirect users to malicious domains.
The Drupal Security Team has disclosed a cache poisoning and open redirect vulnerability in Drupal core, tracked as CVE-2026-55806. The flaw resides in the rebuild.php front controller, a script used to rebuild Drupal by clearing caches and rebuilding the container when a site is in an unexpected condition. According to the advisory, this script fails to properly validate the Host header against the list of trusted host patterns, potentially enabling an attacker to poison caches or redirect users to an attacker-controlled domain.
The vulnerability affects Drupal core versions prior to 10.5.12, 10.6.11, 11.2.14, and 11.3.12, as well as the end-of-life branches 11.0.x, 11.1.x, 10.4.x, and below. The Drupal Security Team has rated the issue as less critical with a security risk score of 9 out of 25, with an attack complexity of Basic, no authentication required, and no impact on integrity or availability. The theoretical exploit vector and default exposure make it a concern for sites that have not yet patched.
The rebuild.php script is a legitimate administrative tool, but its improper Host header validation opens the door to cache poisoning attacks. In a cache poisoning scenario, an attacker could inject malicious content into a cached response, serving it to subsequent visitors. The open redirect aspect could be used in phishing campaigns, where a user clicks a link on a legitimate Drupal site and is redirected to a malicious domain without their knowledge.
The Drupal Security Team has released patches for all supported branches. Administrators running Drupal 11.3.x should update to version 11.3.12; those on 11.2.x should update to 11.2.14. For Drupal 10, users on 10.6.x should update to 10.6.11, and those on 10.5.x should update to 10.5.12. Sites running Drupal 11.1.x, 11.0.x, 10.4.x, and below are end-of-life and do not receive security coverage; they are strongly advised to upgrade to a supported branch immediately.
The vulnerability was reported by Melih Acikoz, Michael Winser, and Willem Drupal enthousiast, and fixed by Lee Rowlands of the Drupal Security Team, along with several other team members. This advisory follows a recent disclosure of a moderately critical SSRF vulnerability in Drupal core's Media module (CVE-2026-55807), highlighting the ongoing need for timely patching in the widely used content management system.
Organizations using Drupal should prioritize applying the available patches to mitigate the risk of cache poisoning and open redirect attacks. While the severity is rated less critical, the potential for abuse in phishing campaigns and the ease of exploitation make this a vulnerability that should not be ignored.