[Security-news] Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
security-news at drupal.org
security-news at drupal.org
Wed Jan 14 17:54:34 UTC 2026
View online: https://www.drupal.org/sa-contrib-2026-002
Project: Role Delegation [1]
Date: 2026-January-14
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=1.3.0 <1.5.0
CVE IDs: CVE-2026-0945
Description:
This module allows site administrators to grant specific roles the authority
to assign selected roles to users, without them needing the "administer
permissions" permission.
The module contains an access bypass vulnerability when used in combination
with the Views Bulk Operations module. A user with the ability to delegate a
role is also able to assign the administrator role, including to their own
user.
This vulnerability is mitigated by the fact that an attacker must have access
to a view of users with the Views Bulk Operations module enabled.
Solution:
Install the latest version:
* If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to
Role Delegation 8.x-1.5 [3]
Reported By:
* Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By:
* Adam Bramley (acbramley) [5]
* Dieter Holvoet (dieterholvoet) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
* Drew Webber (mcdruid) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [10]
[1] https://www.drupal.org/project/role_delegation
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/role_delegation/releases/8.x-1.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/acbramley
[6] https://www.drupal.org/u/dieterholvoet
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/poker10
[10]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567530
More information about the Security-news
mailing list