Missing Authorization Vulnerability in Drupal Layout Builder Advanced Permissions
CVE-2025-8996

4.3MEDIUM

Key Information:

Vendor: Drupal
Status: Layout Builder Advanced Permissions
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-8996?

A missing authorization vulnerability in Drupal's Layout Builder Advanced Permissions component allows attackers to perform forceful browsing. This can lead to unauthorized access to sensitive content or functionality within the affected versions, specifically those prior to 2.2.0. It is crucial for users to update to the latest version to secure their installations against potential exploitation.

Affected Version(s)

Layout Builder Advanced Permissions 0.0.0 < 2.2.0

References

https://www.drupal.org/sa-contrib-2025-097

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Aug 13, 2025

Credit

Eelke Blok (eelkeblok)

Michael Whittaker (mrwhittaker)

Eelke Blok (eelkeblok)

Sorin Dediu (sdstyles)

Sean Blommaert (seanb)

Anna Kalata (akalata)

Damien McKenna (damienmckenna)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

Cathy Theys (yesct)