Intel

AIKIDO-2026-454836

drupal/flowdrop is vulnerable to Access Bypass

Access BypassCVE-2026-58589 Published Jul 2, 2026

48

Medium Risk

This Affects:

PHPdrupal/flowdrop
1.0.0 - 1.5.0
Fixed in 1.6.0
Are you affected? Scan for Free

TL;DR

drupal/flowdrop runs AI-driven workflows interactively through a chat interface. The module does not sufficiently enforce permissions on certain endpoints, allowing attackers to trigger workflow execution (incurring LLM spend and tool side effects) or send messages into other users' sessions. Exploitation requires the "View any session" permission, which is not granted to anonymous or authenticated users by default.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/flowdrop is vulnerable to Access Bypass in versions 1.0.0 - 1.5.0.

How to fix this

Upgrade the drupal/flowdrop library to the patch version.