(Drupal) Missing Authorization, CVE-2026-8495 (Medium)

Listen to this Post

The CVE-2026-8495 stems from a missing authorization check in the Drupal Date iCal module (versions prior to 4.0.15). This module generates iCal feeds from Drupal date fields and views. The vulnerability allows Forceful Browsing, a type of access control bypass where an attacker directly requests a protected resource without proper permission validation. Specifically, the module fails to verify that the current user has the required permissions (e.g., “access content” or view-specific grants) before generating and serving iCal data. An unauthenticated or low-privileged user can craft a URL pointing to a Date iCal feed (e.g., /date_ical/feed/...) and retrieve calendar entries, event details, or date-based content that should be restricted. Because no explicit access check is enforced on the route handler, Drupal’s default node access system is bypassed. The vulnerability exists because the module uses custom controllers that do not invoke `$this->checkAccess()` or similar Drupal access mechanisms. The issue affects all installations using Date iCal from version 0.0.0 up to, but not including, 4.0.15. The maintainers patched it by adding a permission hook and route requirement for `access content` and view-specific permissions. Attackers can exploit this via HTTP GET requests, enumerating feed IDs or parameters to exfiltrate sensitive dates, private event s, or unpublished node metadata. The CVSS vector likely includes low attack complexity, network vector, and no user interaction.

DailyCVE form:

Platform: Drupal
Version: <4.0.15
Vulnerability: Missing Authorization
Severity: Medium
date: 2026-05-19

Prediction: 2026-05-26

What Undercode Say:

Identify vulnerable module version
drush pm:list --format=yaml | grep "date_ical"
Check if route /date_ical/feed/{view}/{display_id} exists
curl -I http://target.com/date_ical/feed/test/test
Simulate Forceful Browsing (unauthenticated)
curl http://target.com/date_ical/feed/private_events/page_1
Drupal access bypass indicator
grep -r "DateiCalController" modules/contrib/date_ical/src/Controller/
// Example of missing check in vulnerable code (pre-4.0.15)
public function feed($view, $display_id) {
// No user_access() or $this->checkAccess() call
return $this->buildIcalResponse($view, $display_id);
}

Exploit:

Craft GET request to any Date iCal feed endpoint without authentication. Use known view/display IDs from info files or guess common patterns (e.g., events/default, calendar/upcoming). Enumerate node IDs via feed parameters like ?nid=1,2,3. Retrieve full iCal data including s, dates, descriptions, and locations of restricted content.

Protection from this CVE:

Upgrade Date iCal module to version 4.0.15 or later. If patching impossible, apply this access check via hook_requirements() or use a custom module to enforce `user_access(‘access content’)` on all date_ical routes. Disable the module entirely until upgrade. Use Drupal’s `route` access checking: `_permission: ‘access content’` in date_ical.routing.yml.

Impact:

Unauthorized disclosure of private events, unpublished node dates, sensitive calendar metadata, and internal content s. Forceful browsing can expose future plans, confidential meeting times, or personal schedules. Attackers can map content structure without valid credentials, leading to further targeted attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top