CVE-2026-3527

CVE-2026-3527: AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

Vendor Drupal
Product AJAX Dashboard
Weakness CWE-306 · Missing auth
Published March 26, 2026
Last update March 27, 2026

CVSS base score

What the vulnerability does

01Description

Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0.

Explanation of Vulnerability in Simple Terms

02Summary

A missing authentication check in the AJAX Dashboard module for Drupal allows unauthenticated users to access sensitive dashboard functionality. The vulnerability affects all versions before 3.1.0. Site administrators should update immediately to version 3.1.0 or later to prevent unauthorized access to dashboard data and operations.

What an attacker can do

03Attacker Capabilities

Access dashboard functionality and data without logging in.

Potential impact on your site

04Site Impact

Unauthorized users can view and potentially modify dashboard data and settings.

Conditions required to exploit

05Prerequisites

Network access to the Drupal site; no authentication required.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated