Vulnerability from drupal
Published
2026-06-24 18:38
Modified
2026-06-24 18:38
Summary
Details
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools.
The module does not sufficiently check the required permissions when a tool loads content entities.
This vulnerability is mitigated by the fact that an agent must be configured to use the affected tool, and an attacker must have access to that agent.
Credits
Kuniyoshi Noguchi (kuninogu)
www.drupal.org/u/kuninogu
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c1.1.4 || \u003e=1.2.0 \u003c1.2.5 || \u003e=1.3.0 \u003c1.3.1"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/ai_agents"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c1.1.4"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "\u003e=1.2.0 \u003c1.2.5"
},
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "\u003e=1.3.0 \u003c1.3.1"
},
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [
"CVE-2026-13236"
],
"credits": [
{
"contact": [
"https://www.drupal.org/u/kuninogu"
],
"name": "Kuniyoshi Noguchi (kuninogu)"
}
],
"details": "This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools.\n\nThe module does not sufficiently check the required permissions when a tool loads content entities.\n\nThis vulnerability is mitigated by the fact that an agent must be configured to use the affected tool, and an attacker must have access to that agent.",
"id": "DRUPAL-CONTRIB-2026-056",
"modified": "2026-06-24T18:38:33.000Z",
"published": "2026-06-24T18:38:33.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-056"
}
],
"schema_version": "1.7.0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…