Missing Authorization in Drupal Paragraphs Allows Forceful Browsing
CVE-2026-13240

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-13240?

A missing authorization vulnerability in the Drupal Paragraphs module allows attackers to exploit forceful browsing. This security flaw affects all versions from 0.0.0 to 1.21.0, enabling unauthorized access to resources that should be restricted. Proper authorization checks are essential to ensure users can only access their permitted information. Users of affected versions should prioritize updates to mitigate the risk associated with this vulnerability.

Affected Version(s)

Paragraphs 0.0.0 < 1.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
Sascha Grossenbacher (berdir)
Pierre Rudloff (prudloff)
Greg Knaddison (greggles)
Pierre Rudloff (prudloff)
.