[Security-news] Drupal Canvas - Moderately critical - Access bypass - SA-CONTRIB-2026-006
security-news at drupal.org
security-news at drupal.org
Wed Jan 28 17:28:32 UTC 2026
View online: https://www.drupal.org/sa-contrib-2026-006
Project: Drupal Canvas [1]
Date: 2026-January-28
Security risk: *Moderately critical* 10 ∕ 25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <1.0.4
CVE IDs: CVE-2026-1553
Description:
This Drupal Canvas module is a new visual page builder for Drupal. You can
create reusable components that match your design system, drag them onto a
page, edit content in place, preview changes across multiple pages, and undo
mistakes with ease.
The module doesn't sufficiently validate access to Canvas Pages when they are
unpublished.
This vulnerability is mitigated by the fact that Canvas Pages don't have
content moderation enabled by default, and they must be unpublished after
being released, and archiving is not a feature provided by the module yet.
Solution:
Install the latest version:
If you use the Drupal Canvas module, upgrade to Canvas 1.0.4 [3].
Reported By:
* jschref [4]
Fixed By:
* Bálint Kléri (balintbrews) [5]
* Matt Glaman (mglaman) [6]
* Christian López Espínola (penyaskito) [7]
* Tim Plunkett (tim.plunkett) [8]
Coordinated By:
* Alex Bronstein (effulgentsia) [9] of the Drupal Security Team
* Greg Knaddison (greggles) [10] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/31-canvas-security/-/issues/1
[11]
------------------------------------------------------------------------------
Contribution record [12]
[1] https://www.drupal.org/project/canvas
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/canvas/releases/1.0.4
[4] https://www.drupal.org/u/jschref
[5] https://www.drupal.org/u/balintbrews
[6] https://www.drupal.org/u/mglaman
[7] https://www.drupal.org/u/penyaskito
[8] https://www.drupal.org/u/timplunkett
[9] https://www.drupal.org/u/effulgentsia
[10] https://www.drupal.org/u/greggles
[11] https://git.drupalcode.org/security/31-canvas-security/-/issues/1
[12]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567229
More information about the Security-news
mailing list