DRUPAL-CORE-2026-005

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-005.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CORE-2026-005
Aliases
  • CVE-2026-55803
Published
2026-06-17T18:56:50Z
Modified
2026-06-17T19:41:28.882665Z
Summary
[none]
Details

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.

The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.

This vulnerability is mitigated by the fact that in order to be exploitable:

  • A site must use an entity reference field type that stores a serialized property.
  • An attacker must have permission to write to the entity via JSON:API.

No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules.

JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access).

Drupal Steward protection:

This issue is being protected by Drupal Steward. In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not be able to cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are not mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.

References
Credits

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal%2Fcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.5.12
Database specific 
{
    "constraint": "<10.5.12"
}
Type
ECOSYSTEM
Events
Introduced
10.6.0
Fixed
10.6.11
Database specific 
{
    "constraint": ">=10.6.0 <10.6.11"
}
Type
ECOSYSTEM
Events
Introduced
11.2.0
Fixed
11.2.14
Database specific 
{
    "constraint": ">=11.2.0 <11.2.14"
}
Type
ECOSYSTEM
Events
Introduced
11.3.0
Fixed
11.3.12
Database specific 
{
    "constraint": ">=11.3.0 <11.3.12"
}
Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.1.0
Database specific 
{
    "constraint": "11.0.*"
}
Type
ECOSYSTEM
Events
Introduced
11.1.0
Fixed
11.2.0
Database specific 
{
    "constraint": "11.1.*"
}

Affected versions

8.*
8.0.0-beta6
8.0.0-beta7
8.0.0-beta8
8.0.0-beta9
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.1.10
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.0
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.6.0-alpha1
8.6.0-beta1
8.6.0-beta2
8.6.0-rc1
8.6.0
8.6.1
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.16
8.6.17
8.6.18
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1
8.7.0
8.7.1
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.7.7
8.7.8
8.7.9
8.7.10
8.7.11
8.7.12
8.7.13
8.7.14
8.8.0-alpha1
8.8.0-beta1
8.8.0-rc1
8.8.0
8.8.1
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.8.7
8.8.8
8.8.9
8.8.10
8.8.11
8.8.12
8.9.0-beta1
8.9.0-beta2
8.9.0-beta3
8.9.0-rc1
8.9.0
8.9.1
8.9.2
8.9.3
8.9.4
8.9.5
8.9.6
8.9.7
8.9.8
8.9.9
8.9.10
8.9.11
8.9.12
8.9.13
8.9.14
8.9.15
8.9.16
8.9.17
8.9.18
8.9.19
8.9.20
9.*
9.0.0-alpha1
9.0.0-alpha2
9.0.0-beta1
9.0.0-beta2
9.0.0-beta3
9.0.0-rc1
9.0.0
9.0.1
9.0.2
9.0.3
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.9
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.1.0-alpha1
9.1.0-beta1
9.1.0-rc1
9.1.0-rc2
9.1.0-rc3
9.1.0
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
9.1.7
9.1.8
9.1.9
9.1.10
9.1.11
9.1.12
9.1.13
9.1.14
9.1.15
9.2.0-alpha1
9.2.0-beta1
9.2.0-beta2
9.2.0-beta3
9.2.0-rc1
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
9.2.8
9.2.9
9.2.10
9.2.11
9.2.12
9.2.13
9.2.14
9.2.15
9.2.16
9.2.17
9.2.18
9.2.19
9.2.20
9.2.21
9.3.0-alpha1
9.3.0-beta1
9.3.0-beta2
9.3.0-beta3
9.3.0-rc1
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.3.8
9.3.9
9.3.10
9.3.11
9.3.12
9.3.13
9.3.14
9.3.15
9.3.16
9.3.17
9.3.18
9.3.19
9.3.20
9.3.21
9.3.22
9.4.0-alpha1
9.4.0-beta1
9.4.0-rc1
9.4.0-rc2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.4.10
9.4.11
9.4.12
9.4.13
9.4.14
9.4.15
9.5.0-beta1
9.5.0-beta2
9.5.0-rc1
9.5.0-rc2
9.5.0
9.5.1
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7
9.5.8
9.5.9
9.5.10
9.5.11
10.*
10.0.0-alpha1
10.0.0-alpha2
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.0.0-alpha6
10.0.0-alpha7
10.0.0-beta1
10.0.0-beta2
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.0.10
10.0.11
10.1.0-alpha1
10.1.0-beta1
10.1.0-rc1
10.1.0
10.1.1
10.1.2
10.1.3
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.2.0-alpha1
10.2.0-beta1
10.2.0-rc1
10.2.0
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.2.8
10.2.9
10.2.10
10.2.11
10.2.12
10.3.0-beta1
10.3.0-rc1
10.3.0
10.3.1
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
10.3.9
10.3.10
10.3.11
10.3.12
10.3.13
10.3.14
10.4.0-beta1
10.4.0-rc1
10.4.0
10.4.1
10.4.2
10.4.3
10.4.4
10.4.5
10.4.6
10.4.7
10.4.8
10.4.9
10.4.10
10.5.0-beta1
10.5.0-rc1
10.5.0
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.5.6
10.5.7
10.5.8
10.5.9
10.5.10
10.5.11
10.6.0
10.6.1
10.6.2
10.6.3
10.6.4
10.6.5
10.6.6
10.6.7
10.6.8
10.6.9
10.6.10
11.*
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.0.10
11.0.11
11.0.12
11.0.13
11.1.0-beta1
11.1.0-rc1
11.1.0
11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6
11.1.7
11.1.8
11.1.9
11.1.10
11.2.0-alpha1
11.2.0-beta1
11.2.0-rc1
11.2.0-rc2
11.2.0
11.2.1
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.2.10
11.2.11
11.2.12
11.2.13
11.3.0
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.3.8
11.3.9
11.3.10
11.3.11

Database specific

affected_versions 
"<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/core/DRUPAL-CORE-2026-005.json"