DRUPAL-CONTRIB-2026-001

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ginvite/DRUPAL-CONTRIB-2026-001.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-001
Aliases
  • CVE-2026-0944
Published
2026-01-14T17:53:33Z
Modified
2026-01-14T20:56:28.484784Z
Summary
[none]
Details

This module enables allows group managers to invite people into their group.

The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.

This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ginvite

Package

Name
drupal/ginvite
Purl
pkg:composer/drupal/ginvite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.9
Database specific 
{
    "constraint": "<2.3.9"
}
Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.4
Database specific 
{
    "constraint": ">=3.0.0 <3.0.4"
}
Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.4
Database specific 
{
    "constraint": ">=4.0.0 <4.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ginvite/DRUPAL-CONTRIB-2026-001.json"

affected_versions

"<2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4"