Intel

AIKIDO-2026-841708

drupal/ai is vulnerable to Access Bypass

Access BypassCVE-2026-13235 Published Jun 25, 2026

50

Medium Risk

This Affects:

PHPdrupal/ai
0.0.1 - 1.2.16
Fixed in 1.2.17
1.3.0 - 1.3.7
Fixed in 1.3.8
1.4.0 - 1.4.2
Fixed in 1.4.3
Are you affected? Scan for Free

TL;DR

The Drupal AI Core Actions module contains an access control vulnerability where certain exposed Drupal core action tools do not properly validate permissions, and some actions lack required access-level definitions. This issue only affects sites that expose the affected tools to non-privileged users through an agent accessible to attackers.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/ai is vulnerable to Access Bypass in versions 0.0.1 - 1.2.16, 1.3.0 - 1.3.7 and 1.4.0 - 1.4.2.

How to fix this

Upgrade the drupal/ai library to the patch version.