CVE-2026-0945

CVE-2026-0945: Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

Vendor Drupal
Product Role Delegation
Weakness CWE-267
Published February 4, 2026
Last update February 12, 2026

CVSS base score

What the vulnerability does

01Description

Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.

Explanation of Vulnerability in Simple Terms

02Summary

A privilege escalation vulnerability exists in the Drupal Role Delegation module versions 1.3.0 through 1.4.x. The module does not properly validate role assignment permissions, allowing users with certain privileges to assign roles they should not have access to. This affects sites using the vulnerable module versions. Update to version 1.5.0 or later to resolve the issue.

What an attacker can do

03Attacker Capabilities

Assign roles to users that exceed their own permission level.

Potential impact on your site

04Site Impact

Unauthorized users may gain elevated privileges, compromising site security and access controls.

Conditions required to exploit

05Prerequisites

Attacker must have an account with role delegation capabilities on the site.

Key dates

06Disclosure timeline

February 4, 2026 CVE published
February 12, 2026 Record updated