View online: https://www.drupal.org/sa-contrib-2026-006
Project: Drupal Canvas [1] Date: 2026-January-28 Security risk: *Moderately critical* 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: <1.0.4 CVE IDs: CVE-2026-1553 Description: This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.
The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.
This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.
Solution: Install the latest version:
If you use the Drupal Canvas module, upgrade to Canvas 1.0.4 [3].
Reported By: * jschref [4]
Fixed By: * Bálint Kléri (balintbrews) [5] * Matt Glaman (mglaman) [6] * Christian López Espínola (penyaskito) [7] * Tim Plunkett (tim.plunkett) [8]
Coordinated By: * Alex Bronstein (effulgentsia) [9] of the Drupal Security Team * Greg Knaddison (greggles) [10] of the Drupal Security Team
Security issue: https://git.drupalcode.org/security/31-canvas-security/-/issues/1 [11] ------------------------------------------------------------------------------ Contribution record [12]
[1] https://www.drupal.org/project/canvas [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/canvas/releases/1.0.4 [4] https://www.drupal.org/u/jschref [5] https://www.drupal.org/u/balintbrews [6] https://www.drupal.org/u/mglaman [7] https://www.drupal.org/u/penyaskito [8] https://www.drupal.org/u/timplunkett [9] https://www.drupal.org/u/effulgentsia [10] https://www.drupal.org/u/greggles [11] https://git.drupalcode.org/security/31-canvas-security/-/issues/1 [12] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....