Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 - Security-news

13 Aug 2025


      View online: https://www.drupal.org/sa-contrib-2025-097
Project: Layout Builder Advanced Permissions [1]
Date: 2025-August-13
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: 2.2.0
CVE IDs: CVE-2025-8996
Description: 
The Layout Builder Advanced Permissions module enables you to have fine
grained control over who can do what in editing pages built with Layout
Builder.
The module doesn't sufficiently control access for adding sections in the
submodule.
This vulnerability is mitigated by the fact that an attacker must have a role
with a specific set of permissions:
* Node: View published content
  * Node: (Your content type): Create new content
  * Node: (Your content type): Edit any content
  * Layout builder: (Your content type): Configure layout overrides for
    content items that the user can edit
  * Layout builder advanced permissions: Access Layout Builder page
Solution: 
Install the latest version:
* If you use the Layout Builder Advanced Permissions module, upgrade to
    Layout Builder Advanced Permissions 2.2.1 [3]
Reported By: 
  * Eelke Blok (eelkeblok) [4]
  * Michael Whittaker (mrwhittaker) [5]
Fixed By: 
  * Eelke Blok (eelkeblok) [6]
  * Sorin Dediu (sdstyles) [7]
  * Sean Blommaert (seanb) [8]
Coordinated By: 
  * Anna Kalata (akalata) [9]
  * Damien McKenna (damienmckenna) [10] of the Drupal Security Team
  * Greg Knaddison (greggles) [11] of the Drupal Security Team
  * Juraj Nemec (poker10) [12] of the Drupal Security Team
  * Cathy Theys (yesct) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/layout_builder_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/layout_builder_perms/releases/2.2.1
[4] https://www.drupal.org/u/eelkeblok
[5] https://www.drupal.org/u/mrwhittaker
[6] https://www.drupal.org/u/eelkeblok
[7] https://www.drupal.org/u/sdstyles
[8] https://www.drupal.org/u/seanb
[9] https://www.drupal.org/u/akalata
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/poker10
[13] https://www.drupal.org/u/yesct