Drupal Core Vulnerability Allows Non-Image File Uploads via JSON:API and REST Modules
A moderately critical improper validation vulnerability in Drupal core's JSON:API and REST modules could allow attackers to upload non-image files, potentially leading to cross-site scripting attacks.
The Drupal Security Team has released a security advisory (SA-CORE-2026-009) addressing an improper validation vulnerability in Drupal core, tracked as CVE-2026-55808. The flaw affects the JSON:API and REST modules, which are widely used for headless and decoupled Drupal implementations. The vulnerability allows users to upload files to image fields without proper MIME type validation, potentially enabling the upload of non-image files that could be served with their actual MIME type depending on server configuration.
The core issue lies in the validation logic: the modules check the file extension of uploaded files but fail to verify the file's MIME type. This means an attacker could upload a file with a .jpg extension but containing malicious JavaScript or HTML code. If the web server is configured to serve the file based on its actual MIME type rather than the extension, the malicious content could be rendered in a user's browser, leading to cross-site scripting (XSS) attacks or other unexpected behavior.
The vulnerability affects Drupal core versions prior to 10.5.12, 10.6.11, 11.2.14, and 11.3.12. Drupal 11.1.x, 11.0.x, 10.4.x, and earlier versions are end-of-life and do not receive security coverage. The Drupal Security Team has rated the vulnerability as moderately critical with a risk score of 11 out of 25, noting that exploitation requires an authenticated user with the ability to upload files to image fields, making the attack complexity high.
Users are strongly advised to update to the latest patched versions immediately. For Drupal 11.3.x, update to 11.3.12; for 11.2.x, update to 11.2.14; for 10.6.x, update to 10.6.11; and for 10.5.x, update to 10.5.12. The advisory notes that Drupal 8 and Drupal 9 have both reached end-of-life and are no longer supported.
The vulnerability was reported by cantina_security and fixed by Björn Brala (bbrala), Kim Pepper (kim.pepper), and Lee Rowlands (larowlan) of the Drupal Security Team. Coordination was handled by Damien McKenna, Greg Knaddison, Lee Rowlands, Dave Long, Juraj Nemec, and Jess of the Drupal Security Team.
This advisory follows a pattern of similar validation bypass vulnerabilities in content management systems, where file upload mechanisms are a common attack vector. While the risk is rated moderately critical, the widespread use of Drupal for enterprise and government websites means that even moderate vulnerabilities can have significant impact if exploited. Administrators should also review their web server configurations to ensure that uploaded files are served with appropriate Content-Type headers as an additional layer of defense.