Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

Project:

Group invite

Date:

2026-January-14

Security risk:

Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4

CVE IDs:

CVE-2026-0944

Description:

This module enables allows group managers to invite people into their group.

The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.

This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.

Solution:

Install the latest version:

If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4

Reported By:

Kevin Quillen (kevinquillen)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community