{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3573", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T21:17:43.868Z", "datePublished": "2026-03-26T20:10:13.350Z", "dateUpdated": "2026-03-30T14:54:43.980Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}, "title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "datePublic": "2026-03-11T16:33:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"vendor": "Drupal", "product": "AI (Artificial Intelligence)", "collectionURL": "https://www.drupal.org/project/ai", "repo": "https://git.drupalcode.org/project/ai", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "credits": [{"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "finder"}, {"lang": "en", "value": "Artem Dmitriiev (a.dmitriiev)", "type": "remediation developer"}, {"lang": "en", "value": "Abhisek Mazumdar (abhisekmazumdar)", "type": "remediation developer"}, {"lang": "en", "value": "Dave Long (longwave)", "type": "remediation developer"}, {"lang": "en", "value": "Marcus Johansson (marcus_johansson)", "type": "remediation developer"}, {"lang": "en", "value": "Valery Lourie (valthebald)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:40:38.581589Z", "id": "CVE-2026-3573", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:43.980Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3573", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:40:38.581589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:40:50.719Z"}}], "cna": {"title": "AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Artem Dmitriiev (a.dmitriiev)"}, {"lang": "en", "type": "remediation developer", "value": "Abhisek Mazumdar (abhisekmazumdar)"}, {"lang": "en", "type": "remediation developer", "value": "Dave Long (longwave)"}, {"lang": "en", "type": "remediation developer", "value": "Marcus Johansson (marcus_johansson)"}, {"lang": "en", "type": "remediation developer", "value": "Valery Lourie (valthebald)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-240", "descriptions": [{"lang": "en", "value": "CAPEC-240 Resource Injection"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ai", "vendor": "Drupal", "product": "AI (Artificial Intelligence)", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.11", "versionType": "semver"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.12", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ai", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T16:33:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-028"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.<p>This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:10:13.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3573", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:43.980Z", "dateReserved": "2026-03-04T21:17:43.868Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:10:13.350Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artificial_intelligence_project:artificial_intelligence:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "71AE206A-B714-49CF-8581-AB8B167F0C05", "versionEndExcluding": "1.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:artificial_intelligence_project:artificial_intelligence:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "B8C36E65-EE16-4222-BA85-3A449B810D5C", "versionEndExcluding": "1.2.12", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n incorrecta en Drupal IA (Inteligencia Artificial) permite la inyecci\u00f3n de recursos. Este problema afecta a IA (Inteligencia Artificial): desde 0.0.0 antes de 1.1.11, desde 1.2.0 antes de 1.2.12."}], "id": "CVE-2026-3573", "lastModified": "2026-03-31T20:41:55.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.557", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-028"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.12)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 94.0, "source": "matching"}]}, "original": {"product": "AI (Artificial Intelligence)", "source": "cna", "vendor": "Drupal"}, "product": "artificial_intelligence", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-30T17:29:46.876621+00:00", "value": {"mitigation_remediation": ["Verify the installed AI module version against the affected ranges.", "Install the latest AI module release, any version newer than 1.1.11 or 1.2.12, following Drupal\u2019s recommended update procedures.", "If an immediate update is not feasible, restrict network access to the AI module\u2019s endpoints using firewall rules or .htaccess restrictions and enforce the least\u2011privileged role capabilities.", "Enable detailed logging for AI resource accesses and monitor logs for unauthorized activity.", "Consult the Drupal security advisory and relevant vendor documentation for any additional guidance or temporary mitigations."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Drupal installations containing the AI (Artificial Intelligence) module versions from the initial release 0.0.0 up to, but not including, 1.1.11, as well as from 1.2.0 up to, but not including, 1.2.12 are affected. Any site running any of these versions without a patch is susceptible.", "description_and_impact": "The CVE describes an Incorrect Authorization vulnerability in the Drupal AI (Artificial Intelligence) module that permits resource injection. This flaw enables an attacker to retrieve data that should otherwise be protected, representing an information disclosure vulnerability classified as CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity potential impact, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The advisory does not list this CVE in the CISA KEV catalog, implying no actively used exploits are recorded. The specific attack vector, exploitation prerequisites, or conditions are not detailed in the provided description."}}}}, "created": "2026-03-27T08:32:09.021401+00:00", "updated": "2026-03-30T20:57:29.990738+00:00", "vendors": ["drupal", "drupal$PRODUCT$artificial_intelligence"]}