What the vulnerability does
01Description
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
CVE-2025-13985
CVE-2025-13985: Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123
CVSS base score
—
Explanation of Vulnerability in Simple Terms
02Summary
The Entity Share module for Drupal contains an authorization flaw that allows users to access or modify shared content beyond their intended permissions. The vulnerability affects all versions before 3.13.0. Site administrators should update immediately to patch the authorization checks that govern entity sharing access.
What an attacker can do
03Attacker Capabilities
Access or modify shared entities beyond their assigned permissions.
Potential impact on your site
04Site Impact
Users may view or edit content they should not have access to, compromising content confidentiality and integrity.
Conditions required to exploit
05Prerequisites
User must have some level of access to the Entity Share module or shared content.
Key dates
06Disclosure timeline
January 28, 2026
CVE published
January 29, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-24872 Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)
CVE-2022-4014 FeehiCMS Post My Comment Tab cross-site request forgery
CVE-2026-7387 Mattermost group syncable endpoints allow privilege escalation via scheme_admin
CVE-2025-69417
CVE-2025-59111 Broken Access Control in Windu CMS
