View online: https://www.drupal.org/sa-contrib-2026-001
Project: Group invite [1] Date: 2026-January-14 Security risk: *Moderately critical* 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4 CVE IDs: CVE-2026-0944 Description: This module enables allows group managers to invite people into their group.
The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.
This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.
Solution: Install the latest version:
* If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9 [3] * If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4 [4] * If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4 [5]
Reported By: * Kevin Quillen (kevinquillen) [6]
Fixed By: * eduardo morales alberti [7] * Kevin Quillen (kevinquillen) [8] * Nikolay Lobachev (lobsterr) [9] * Ricardo Sanz Ante (tunic) [10]
Coordinated By: * Greg Knaddison (greggles) [11] of the Drupal Security Team * Juraj Nemec (poker10) [12] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [13]
[1] https://www.drupal.org/project/ginvite [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ginvite/releases/2.3.9 [4] https://www.drupal.org/project/ginvite/releases/3.0.4 [5] https://www.drupal.org/project/ginvite/releases/4.0.4 [6] https://www.drupal.org/u/kevinquillen [7] https://www.drupal.org/u/eduardo-morales-alberti [8] https://www.drupal.org/u/kevinquillen [9] https://www.drupal.org/u/lobsterr [10] https://www.drupal.org/u/tunic [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/poker10 [13] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....