{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3210", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:24.447Z", "datePublished": "2026-03-25T15:21:43.470Z", "dateUpdated": "2026-03-26T14:34:55.742Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}, "title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "datePublic": "2026-02-25T18:43:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "Material Icons", "collectionURL": "https://www.drupal.org/project/material_icons", "repo": "https://git.drupalcode.org/project/material_icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "credits": [{"lang": "en", "value": "Jen M (jannakha)", "type": "finder"}, {"lang": "en", "value": "Bryan Sharpe (b_sharpe)", "type": "remediation developer"}, {"lang": "en", "value": "Jen M (jannakha)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Ra M\u00c3\u00a4nd (ram4nd)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:02:52.139144Z", "id": "CVE-2026-3210", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:34:55.742Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:02:52.139144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:03:07.380Z"}}], "cna": {"title": "Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "remediation developer", "value": "Bryan Sharpe (b_sharpe)"}, {"lang": "en", "type": "remediation developer", "value": "Jen M (jannakha)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Ra M\u00c3\u00a4nd (ram4nd)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/material_icons", "vendor": "Drupal", "product": "Material Icons", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/material_icons", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:43:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-011"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.<p>This issue affects Material Icons: from 0.0.0 before 2.0.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:21:43.470Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3210", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:34:55.742Z", "dateReserved": "2026-02-25T16:59:24.447Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:21:43.470Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4."}], "id": "CVE-2026-3210", "lastModified": "2026-03-26T15:16:39.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:21.940", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-011"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Material Icons", "source": "cna", "vendor": "Drupal"}, "product": "material_icons", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T22:23:15.270496+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Material Icons to version 2.0.4 or later.", "If an upgrade is not immediately possible, review and enforce proper access control lists on restricted resources to prevent unauthorized browsing.", "Monitor web traffic for signs of unauthorized file access or suspicious request patterns."], "summary": {"action": "Immediate Patch", "impact": "Insecure Direct Object Reference allowing forceful browsing of protected resources"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Material Icons module for all releases starting at version 0.0.0 up through any version prior to 2.0.4. Administrators who are running these earlier releases are exposed until they can update the component.", "description_and_impact": "An incorrect authorization flaw in the Drupal Material Icons module permits users to bypass security checks and view content to which they should not have access. This weakness, classified as CWE\u2011863, enables a form of forceful browsing where an attacker can craft requests that expose protected resources. The result is potential leakage of sensitive data and a direct compromise of confidentiality.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate level of severity. Public exploit probability data is not available, but the description shows that the issue can be exploited via an external web request to a restricted URL, without needing local or privileged access. Because the flaw is a direct bypass of authorization, it remains a significant threat until it is patched."}}}}, "created": "2026-03-25T21:31:05.483782+00:00", "updated": "2026-03-26T12:13:22.492168+00:00", "vendors": ["drupal", "drupal$PRODUCT$material_icons"]}