Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-June-17
Vulnerability:
Cache poisoning and open redirect
Affected versions:
<10.5.12 || >=10.6.0 <10.6.11 || >=11.2.0 <11.2.14 || >=11.3.0 <11.3.12 || 11.0.* || 11.1.*
CVE IDs:
CVE-2026-55806
Description:
Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.
This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.
Solution:
Install the latest version:
Drupal 11
- If you use Drupal 11.3.x, update to Drupal 11.3.12.
- If you use Drupal 11.2.x, update to Drupal 11.2.14.
Drupal 10
- If you use Drupal 10.6.x, update to Drupal 10.6.11.
- If you use Drupal 10.5.x, update to Drupal 10.5.12.
Drupal 11.1.x, Drupal 11.0.x, Drupal 10.4.x, and below are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Fixed By:
- Lee Rowlands (larowlan) of the Drupal Security Team
Coordinated By:
- catch (catch) of the Drupal Security Team
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Lee Rowlands (larowlan) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team
- James Gilliland (neclimdul) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
