Project:
Date:
2026-June-24
Security risk:
Vulnerability:
Information disclosure, Access bypass
Affected versions:
<1.1.4 || >=1.2.0 <1.2.5 || >=1.3.0 <1.3.1
CVE IDs:
CVE-2026-13237
Description:
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools.
Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure.
Solution:
Install the latest version:
- If you use the AI Agents module 1.1.3, upgrade to AI Agents 1.1.4
- If you use the AI Agents module 1.2.4 upgrade to AI Agents 1.2.5
- If you use the AI Agents module 1.3.0 upgrade to AI Agents 1.3.1
Reported By:
Coordinated By:
- Bram Driesen (bramdriesen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team