Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-July-30
Security risk:
Vulnerability:
Access bypass
Affected versions:
<2.18.0
CVE IDs:
CVE-2025-8361
Description:
This module enables you to access an edit page for a config page.
The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.
Solution:
Install the latest version:
- If you use the Config Pages module, upgrade to Config Pages 8.x-2.18.
Reported By:
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
Fixed By:
- Pierre Rudloff (prudloff), provisional member of the Drupal Security Team
- Alexander Shumenko (shumer)
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Heine Deelstra (heine) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
