Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-August-13
Vulnerability:
Access bypass
Affected versions:
2.2.0
CVE IDs:
CVE-2025-8996
Description:
The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.
The module doesn't sufficiently control access for adding sections in the submodule.
This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:
- Node: View published content
- Node: (Your content type): Create new content
- Node: (Your content type): Edit any content
- Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
- Layout builder advanced permissions: Access Layout Builder page
Solution:
Install the latest version:
- If you use the Layout Builder Advanced Permissions module, upgrade to Layout Builder Advanced Permissions 2.2.1
Reported By:
Coordinated By:
- Anna Kalata (akalata), provisional member of the Drupal Security Team
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Cathy Theys (yesct) of the Drupal Security Team
