DRUPAL-CONTRIB-2026-053

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai_provider_openai/DRUPAL-CONTRIB-2026-053.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-053
Aliases
  • CVE-2026-13233
Published
2026-06-24T18:36:06Z
Modified
2026-06-24T19:15:04.276717275Z
Summary
[none]
Details

This module enables you to use OpenAI as a provider for the AI module.

The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery (SSRF) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have the access to change the host url and a way to generate AI-generated images.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ai_provider_openai

Package

Name
drupal/ai_provider_openai
Purl
pkg:composer/drupal%2Fai_provider_openai

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.1
Database specific 
{
    "constraint": "<1.1.1"
}
Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2
Database specific 
{
    "constraint": ">=1.2.0 <1.2.2"
}

Database specific

affected_versions 
"<1.1.1 || >=1.2.0 <1.2.2"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ai_provider_openai/DRUPAL-CONTRIB-2026-053.json"