LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

Project:

LocalGov Workflows

Date:

2026-June-03

Security risk:

Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Information disclosure

Affected versions:

<1.6.0

CVE IDs:

CVE-2026-10768

Description:

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview.

The module doesn't sufficiently restrict access to a view of Service Contacts at which exposes the names and content items assigned to each Service Contact.

Solution:

Install the latest version:

If you use the LocalGov Workflows module for Drupal, upgrade to LocalGov Workflows 1.6.0

Reported By:

Maria Young (maria.y)

Fixed By:

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community