CVE-2026-8495 Overview
CVE-2026-8495 is a missing authorization vulnerability in the Drupal Date iCal module that allows forceful browsing of protected resources. The flaw affects all versions of Date iCal prior to 4.0.15. An unauthenticated remote attacker can reach calendar feed endpoints without proper access control checks. The vulnerability is classified under [CWE-862: Missing Authorization]. Because the attack requires no authentication, no user interaction, and can be performed over the network, it carries a high impact rating on confidentiality, integrity, and availability.
Critical Impact
Unauthenticated attackers can perform forceful browsing against Drupal sites running vulnerable Date iCal versions, exposing iCalendar data that should require authorization.
Affected Products
- Drupal Date iCal module versions from 0.0.0 before 4.0.15
- Drupal sites that enable the Date iCal contributed module
- Any deployment exposing Date iCal feed URLs to untrusted networks
Discovery Timeline
- 2026-05-19 - CVE CVE-2026-8495 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8495
Vulnerability Analysis
The Date iCal module generates iCalendar (.ics) feeds from Drupal nodes and views. The module fails to verify that the requesting user has authorization to view the underlying entities when serving feed responses. An attacker can request feed URLs directly and retrieve content that should be gated by Drupal's access control system. This pattern is referred to as forceful browsing because the attacker bypasses the application's intended navigation flow by directly addressing protected resources.
The issue is rooted in the absence of an access check before content is serialized into the iCalendar response. Even when the parent Drupal view or node enforces permissions on its standard rendering paths, the Date iCal feed handler returns data through a separate route that does not consistently invoke those checks.
Root Cause
The root cause is missing authorization enforcement [CWE-862] in the module's feed delivery code path. The handler accepts requests and emits node data without invoking Drupal's entity access API to confirm the requester has permission to view each rendered item.
Attack Vector
An attacker sends crafted HTTP GET requests to known Date iCal feed paths on a target Drupal site. No credentials, tokens, or user interaction are required. Successful requests return calendar data drawn from nodes that may include private events, restricted scheduling information, or other content protected by Drupal permissions. Refer to the Drupal Security Advisory for technical details and impact scope.
Detection Methods for CVE-2026-8495
Indicators of Compromise
- Anonymous HTTP requests to Date iCal feed paths returning HTTP 200 responses with text/calendar content
- Spikes in access to .ics endpoints from unfamiliar source IP addresses or user agents
- Outbound scraping patterns enumerating multiple calendar feed URLs in sequence
Detection Strategies
- Review Drupal access logs for unauthenticated requests to URLs containing ical, feed, or .ics segments
- Correlate web server logs against the list of Date iCal feed routes exposed by your views and nodes
- Compare returned content against the expected anonymous-user permission set to identify unauthorized disclosure
Monitoring Recommendations
- Enable verbose logging on the web server and Drupal dblog module for content access events
- Alert on high-volume anonymous access to calendar feed endpoints
- Monitor for user agents associated with automated content scrapers targeting Drupal sites
How to Mitigate CVE-2026-8495
Immediate Actions Required
- Upgrade the Date iCal module to version 4.0.15 or later on all Drupal installations
- Audit current Date iCal feed configurations and disable feeds that are not required
- Review access logs for prior unauthorized requests to feed endpoints and assess data exposure
Patch Information
The fix is delivered in Date iCal release 4.0.15. The patch adds the missing authorization checks before feed content is rendered. Refer to the Drupal Security Advisory for upgrade instructions and verification steps.
Workarounds
- Disable the Date iCal module until the upgrade can be applied if feeds are not in active use
- Restrict access to feed URLs at the web server or reverse proxy layer using IP allowlists or authentication
- Remove or unpublish nodes containing sensitive data from views that expose iCalendar feeds
# Upgrade the Date iCal module using Composer
composer require 'drupal/date_ical:^4.0.15'
drush updatedb
drush cache:rebuild
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
