DRUPAL-CONTRIB-2026-030

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/autologout/DRUPAL-CONTRIB-2026-030.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-030
Aliases
Published
2026-03-18T16:10:00Z
Modified
2026-03-18T18:00:07.682621Z
Summary
[none]
Details

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/autologout

Package

Name
drupal/autologout
Purl
pkg:composer/drupal/autologout

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0
Database specific
{
    "constraint": "<1.7.0"
}
Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.2
Database specific
{
    "constraint": ">=2.0.0 <2.0.2"
}

Database specific

affected_versions
"<1.7.0 || >=2.0.0 <2.0.2"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/autologout/DRUPAL-CONTRIB-2026-030.json"