Drupal Core SSRF Vulnerability in oEmbed Discovery (CVE-2026-55807)
A moderately critical server-side request forgery vulnerability in Drupal core's Media module oEmbed URL discovery could allow attackers to trick Drupal into making unauthorized server-side requests.
The Drupal Security Team has disclosed a server-side request forgery (SSRF) vulnerability in Drupal core, tracked as CVE-2026-55807, affecting the Media module's oEmbed URL discovery mechanism. The flaw, rated moderately critical with a CVSS score of 10 out of 25, allows an attacker to trick Drupal into making unauthorized server-side requests to arbitrary URLs. This could potentially be leveraged to probe internal networks, access cloud metadata endpoints, or interact with other internal services.
The vulnerability resides in the oEmbed URL discovery code. The oEmbed specification defines two discovery mechanisms: a providers.json file that lists known providers (such as YouTube and Vimeo), and a URL discovery method that automatically fetches and parses oEmbed endpoints from arbitrary URLs. The URL discovery code lacked sufficient validation, enabling an attacker to craft a request that forces Drupal to make server-side HTTP requests to any URL, including internal or restricted resources.
All supported versions of Drupal core are affected: versions prior to 10.5.12, 10.6.x prior to 10.6.11, 11.2.x prior to 11.2.14, and 11.3.x prior to 11.3.12. End-of-life branches (Drupal 11.0.x, 11.1.x, 10.4.x, and earlier) do not receive security coverage and remain vulnerable. The Drupal Security Team strongly recommends that all site administrators update to the latest patched versions immediately.
In addition to applying the patch, administrators who use oEmbed URL discovery must now configure a list of trusted oEmbed discovery hosts in settings.php. This new security measure requires defining an array of regular expressions that match allowed host names for URL discovery, following the same pattern as the existing trusted hosts setting. For example, to only allow discovery from example.com, administrators would add: $settings['media_oembed_discovery_trusted_host_patterns'] = [ '^example\\.com$' ];
The vulnerability was reported by a team of security researchers including Hamed Kohi, Assaf alassaf, Albert Skibinski, Jon Minder, Lautaro Casanova, Gabe Sullice, John Morahan, Michael Winser, nbanderson, offensive-ai, Francesco Placella, quynh ho, and Himanshu Anand. The fix was coordinated and implemented by members of the Drupal Security Team, including Lee Rowlands, Dave Long, Drew Webber, Adam G-H, and Sean Blommaert.
This advisory follows a recent batch of four Drupal core security advisories disclosed on June 3, 2026, and a separate vulnerability in the JSON:API and REST modules that allowed non-image file uploads. The SSRF flaw underscores the importance of validating external URL inputs, especially in content embedding features that interact with remote services. Site administrators are urged to update promptly and review their oEmbed configuration to ensure only trusted hosts are permitted for URL discovery.