Skip to main content
CVE Vulnerability Database

CVE-2026-8495: Drupal Date iCal Auth Bypass Vulnerability

CVE-2026-8495 is an authorization bypass flaw in Drupal Date iCal that enables forceful browsing attacks. This article covers the technical details, versions affected (0.0.0 to 4.0.14), security impact, and mitigation.

Published:

CVE-2026-8495 Overview

CVE-2026-8495 is a missing authorization vulnerability in the Drupal Date iCal module that allows forceful browsing of protected resources. The flaw affects all versions of Date iCal prior to 4.0.15. An unauthenticated remote attacker can reach calendar feed endpoints without proper access control checks. The vulnerability is classified under [CWE-862: Missing Authorization]. Because the attack requires no authentication, no user interaction, and can be performed over the network, it carries a high impact rating on confidentiality, integrity, and availability.

Critical Impact

Unauthenticated attackers can perform forceful browsing against Drupal sites running vulnerable Date iCal versions, exposing iCalendar data that should require authorization.

Affected Products

  • Drupal Date iCal module versions from 0.0.0 before 4.0.15
  • Drupal sites that enable the Date iCal contributed module
  • Any deployment exposing Date iCal feed URLs to untrusted networks

Discovery Timeline

  • 2026-05-19 - CVE CVE-2026-8495 published to NVD
  • 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-8495

Vulnerability Analysis

The Date iCal module generates iCalendar (.ics) feeds from Drupal nodes and views. The module fails to verify that the requesting user has authorization to view the underlying entities when serving feed responses. An attacker can request feed URLs directly and retrieve content that should be gated by Drupal's access control system. This pattern is referred to as forceful browsing because the attacker bypasses the application's intended navigation flow by directly addressing protected resources.

The issue is rooted in the absence of an access check before content is serialized into the iCalendar response. Even when the parent Drupal view or node enforces permissions on its standard rendering paths, the Date iCal feed handler returns data through a separate route that does not consistently invoke those checks.

Root Cause

The root cause is missing authorization enforcement [CWE-862] in the module's feed delivery code path. The handler accepts requests and emits node data without invoking Drupal's entity access API to confirm the requester has permission to view each rendered item.

Attack Vector

An attacker sends crafted HTTP GET requests to known Date iCal feed paths on a target Drupal site. No credentials, tokens, or user interaction are required. Successful requests return calendar data drawn from nodes that may include private events, restricted scheduling information, or other content protected by Drupal permissions. Refer to the Drupal Security Advisory for technical details and impact scope.

Detection Methods for CVE-2026-8495

Indicators of Compromise

  • Anonymous HTTP requests to Date iCal feed paths returning HTTP 200 responses with text/calendar content
  • Spikes in access to .ics endpoints from unfamiliar source IP addresses or user agents
  • Outbound scraping patterns enumerating multiple calendar feed URLs in sequence

Detection Strategies

  • Review Drupal access logs for unauthenticated requests to URLs containing ical, feed, or .ics segments
  • Correlate web server logs against the list of Date iCal feed routes exposed by your views and nodes
  • Compare returned content against the expected anonymous-user permission set to identify unauthorized disclosure

Monitoring Recommendations

  • Enable verbose logging on the web server and Drupal dblog module for content access events
  • Alert on high-volume anonymous access to calendar feed endpoints
  • Monitor for user agents associated with automated content scrapers targeting Drupal sites

How to Mitigate CVE-2026-8495

Immediate Actions Required

  • Upgrade the Date iCal module to version 4.0.15 or later on all Drupal installations
  • Audit current Date iCal feed configurations and disable feeds that are not required
  • Review access logs for prior unauthorized requests to feed endpoints and assess data exposure

Patch Information

The fix is delivered in Date iCal release 4.0.15. The patch adds the missing authorization checks before feed content is rendered. Refer to the Drupal Security Advisory for upgrade instructions and verification steps.

Workarounds

  • Disable the Date iCal module until the upgrade can be applied if feeds are not in active use
  • Restrict access to feed URLs at the web server or reverse proxy layer using IP allowlists or authentication
  • Remove or unpublish nodes containing sensitive data from views that expose iCalendar feeds
bash
# Upgrade the Date iCal module using Composer
composer require 'drupal/date_ical:^4.0.15'
drush updatedb
drush cache:rebuild

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.