CVE-2026-1553

CVE-2026-1553: Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006

Vendor Drupal
Product Drupal Canvas
Weakness CWE-863 · Incorrect authorization
Published February 4, 2026
Last update February 4, 2026

CVSS base score

What the vulnerability does

01Description

Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.

Explanation of Vulnerability in Simple Terms

02Summary

Drupal Canvas module versions before 1.0.4 contain an authorization flaw that allows users to perform actions they should not be permitted to perform. The vulnerability stems from incorrect permission checks in the module's access control logic. Site administrators should update to version 1.0.4 or later to remediate this issue.

What an attacker can do

03Attacker Capabilities

Perform actions or access resources that their user role should not permit.

Potential impact on your site

04Site Impact

Users may bypass intended permission restrictions and access or modify content outside their role.

Conditions required to exploit

05Prerequisites

Attacker must have a user account on the site with some level of access.

Key dates

06Disclosure timeline

February 4, 2026 CVE published
February 4, 2026 Record updated

Related vulnerabilities

08Related CVE