View online: https://www.drupal.org/sa-contrib-2026-030
Project: Automated Logout [1] Date: 2026-March-18 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Cross-site request forgery
Affected versions: <1.7.0 || >=2.0.0 <2.0.2 CVE IDs: CVE-2026-4393 Description: This module provides a site administrator the ability to log users out after a specified time of inactivity.
The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.
Solution: Install the latest version:
* If you use Automated Logout 8.x-1.x version 8.x-1.6 or lower, upgrade to autologout 8.x-1.7 [3]. * If you use Automated Logout 2.x version 2.0.1 or lower, upgrade to autologout 2.0.2 [4].
Reported By: * Pierre Rudloff (prudloff) [5]
Fixed By: * Ajit Shinde (ajits) [6] * Jakob P (japerry) [7] * Gareth Alexander (the_g_bomb) [8]
Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team * Jess (xjm) [11] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [12]
[1] https://www.drupal.org/project/autologout [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3579901 [4] https://www.drupal.org/node/3579900 [5] https://www.drupal.org/u/prudloff [6] https://www.drupal.org/u/ajits [7] https://www.drupal.org/u/japerry [8] https://www.drupal.org/u/the_g_bomb [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10 [11] https://www.drupal.org/u/xjm [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....