[Security-news] Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
security-news at drupal.org
security-news at drupal.org
Wed Jan 14 17:53:34 UTC 2026
View online: https://www.drupal.org/sa-contrib-2026-001
Project: Group invite [1]
Date: 2026-January-14
Security risk: *Moderately critical* 14 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4
CVE IDs: CVE-2026-0944
Description:
This module enables allows group managers to invite people into their group.
The module doesn't sufficiently check access under certain circumstances,
allowing unauthorized users to access the group's content.
This vulnerability is mitigated by the fact that it only occurs when certain
uncommon actions are taken by a user with the permission to create group
invites.
Solution:
Install the latest version:
* If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
[3]
* If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
[4]
* If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4
[5]
Reported By:
* Kevin Quillen (kevinquillen) [6]
Fixed By:
* eduardo morales alberti [7]
* Kevin Quillen (kevinquillen) [8]
* Nikolay Lobachev (lobsterr) [9]
* Ricardo Sanz Ante (tunic) [10]
Coordinated By:
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Juraj Nemec (poker10) [12] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [13]
[1] https://www.drupal.org/project/ginvite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ginvite/releases/2.3.9
[4] https://www.drupal.org/project/ginvite/releases/3.0.4
[5] https://www.drupal.org/project/ginvite/releases/4.0.4
[6] https://www.drupal.org/u/kevinquillen
[7] https://www.drupal.org/u/eduardo-morales-alberti
[8] https://www.drupal.org/u/kevinquillen
[9] https://www.drupal.org/u/lobsterr
[10] https://www.drupal.org/u/tunic
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/poker10
[13]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567529
More information about the Security-news
mailing list