CVE-2026-0945
📋 TL;DR
A privilege escalation vulnerability in Drupal's Role Delegation module allows authenticated users with role assignment permissions to assign themselves or others privileged roles they shouldn't have access to. This affects Drupal sites using Role Delegation module versions 1.3.0 through 1.4.x.
💻 Affected Systems
- Drupal Role Delegation module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated user with role assignment permissions could grant themselves administrative privileges, gaining full control over the Drupal site including content, users, and configuration.
Likely Case
Users with limited role management permissions could escalate their privileges to access restricted functionality or data they shouldn't have access to.
If Mitigated
With proper access controls and monitoring, unauthorized privilege changes would be detected and reverted before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access with role assignment permissions. The vulnerability is in the permission checking logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://www.drupal.org/sa-contrib-2026-002
Restart Required: No
Instructions:
1. Update Role Delegation module to version 1.5.0 or later via Drupal's update manager or Composer. 2. Clear Drupal cache after update. 3. Verify module version in Extend page.
🔧 Temporary Workarounds
Disable Role Delegation module
allTemporarily disable the vulnerable module until patching is possible
drush pm-disable role_delegation
Restrict role assignment permissions
allTemporarily remove role assignment permissions from all users except trusted administrators
🧯 If You Can't Patch
- Implement strict monitoring of user role changes and audit logs
- Restrict access to user management interfaces using web application firewall rules
🔍 How to Verify
Check if Vulnerable:
Check Role Delegation module version in Drupal's Extend page or via 'drush pm-list | grep role_delegation'Check Version:
drush pm-list --fields=name,version | grep role_delegationVerify Fix Applied:
Confirm Role Delegation module version is 1.5.0 or higher in Drupal Extend page📡 Detection & Monitoring
Log Indicators:
- Unexpected role assignment events in Drupal watchdog logs
- Multiple role changes for single user in short timeframe
Network Indicators:
- POST requests to user role assignment endpoints from non-admin users
SIEM Query:
source="drupal" AND (event="user_role_assignment" OR message="role assignment") AND NOT user="admin"