Vulnerability from drupal
Published
2026-07-01 17:21
Modified
2026-07-01 17:21
Summary
Details
This module enables you to test and run AI-driven workflows interactively through a chat interface.
The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution (incurring LLM spend and tool side effects) or send messages into other user's sessions.
This vulnerability is mitigated by the fact that an attacker must have the permission "View any session", which is not granted to anonymous or authenticated users by default.
Credits
Aincient Labs (aincient labs)
www.drupal.org/u/aincient-labs
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c1.6.0"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/flowdrop"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c1.6.0"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.0"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [
"CVE-2026-58589"
],
"credits": [
{
"contact": [
"https://www.drupal.org/u/aincient-labs"
],
"name": "Aincient Labs (aincient labs)"
}
],
"details": "This module enables you to test and run AI-driven workflows interactively through a chat interface.\n\nThe module doesn\u0027t sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution (incurring LLM spend and tool side effects) or send messages into other user\u0027s sessions.\n\nThis vulnerability is mitigated by the fact that an attacker must have the permission \"View any session\", which is not granted to anonymous or authenticated users by default.",
"id": "DRUPAL-CONTRIB-2026-067",
"modified": "2026-07-01T17:21:57.000Z",
"published": "2026-07-01T17:21:57.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-067"
}
],
"schema_version": "1.7.0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…