View online: https://www.drupal.org/sa-contrib-2026-022
Project: AJAX Dashboard [1] Date: 2026-March-04 Security risk: *Critical* 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <3.1.0 CVE IDs: CVE-2026-3527 Description: AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons.
The module doesn't sufficiently check access on the dashboard configuration route. Unauthorized users could access the entity dashboard configuration page and either enable or disable dashboards. The affected administration page does not permit editing the configurations of the dashboards themselves.
The vulnerability is mitigated by the fact that the AJAX Dashboard Entity Dashboard submodule must be enabled.
Solution: Install the latest version of the AJAX Dashboard module, which includes the update to AJAX Dashboard: Entity Dashboards:
* If you use the AJAX Dashboard module, upgrade to AJAX Dashboard 3.1.0 [3]
Reported By: * Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By: * Michael Nolan (laboratory.mike) [5]
Coordinated By: * Bram Driesen (bramdriesen) [6] provisional member of the Drupal Security Team * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [9]
[1] https://www.drupal.org/project/ajax_dashboard [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3576913 [4] https://www.drupal.org/u/poker10 [5] https://www.drupal.org/u/laboratorymike [6] https://www.drupal.org/u/bramdriesen [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....