Intel

AIKIDO-2026-928351

drupal/flowdrop is vulnerable to Access Bypass

Access BypassCVE-2026-58590 Published Jul 2, 2026

48

Medium Risk

This Affects:

PHPdrupal/flowdrop
1.0.0 - 1.5.0
Fixed in 1.6.0
Are you affected? Scan for Free

TL;DR

drupal/flowdrop runs AI-driven workflows interactively through a chat interface. When a workflow iterates more than once, the human-in-the-loop approval gate is not re-evaluated on later iterations, so steps may execute without fresh user approval and run actions the user did not intend. Exploitation requires a role with permission to administer, create, or edit FlowDrop workflows.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/flowdrop is vulnerable to Access Bypass in versions 1.0.0 - 1.5.0.

How to fix this

Upgrade the drupal/flowdrop library to the patch version.