AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

Project:

AI (Artificial Intelligence)

Date:

2026-March-11

Security risk:

Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Information Disclosure

Affected versions:

<1.1.11 || >=1.2.0 <1.2.12

CVE IDs:

CVE-2026-3573

Description:

The module and certain submodules (AI Automators, AI Translate, AI API Explorer, AI Content Suggestions) provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser.

Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the context of the LLM request.

Solution:

Install the latest version:

If you use the AI module 1.1 or earlier, upgrade to AI 1.1.11.
If you use the AI module 1.2, upgrade to AI 1.2.12.

Reported By:

Marcus Johansson (marcus_johansson)

Fixed By:

Artem Dmitriiev (a.dmitriiev)
Abhisek Mazumdar (abhisekmazumdar)
Dave Long (longwave) of the Drupal Security Team
Marcus Johansson (marcus_johansson)
Valery Lourie (valthebald)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Contribution record

AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community