View online: https://www.drupal.org/sa-contrib-2026-012

Project: Theme Negotiation by Rules [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site request forgery

Affected versions: <1.2.1 CVE IDs: CVE-2026-3211 Description:  This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

Solution:  Install the latest version:

* If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1 [3].

Reported By:  * Juraj Nemec (poker10) [4] of the Drupal Security Team

Fixed By:  * Zoltan Attila Horvath (huzooka) [5] * Juraj Nemec (poker10) [6] of the Drupal Security Team

Coordinated By:  * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team * Jess (xjm) [10] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [11]

[1] https://www.drupal.org/project/theme_rule [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3575478 [4] https://www.drupal.org/u/poker10 [5] https://www.drupal.org/u/huzooka [6] https://www.drupal.org/u/poker10 [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/u/xjm [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....