Full Report
Drupal security advisory (AV26-463)
Analysis Summary
# Vulnerability: Drupal Date iCal Information Disclosure
## CVE Details
- **CVE ID:** Not explicitly listed in the advisory summary (Referenced as SA-CONTRIB-2026-037)
- **CVSS Score:** Critical (Numerical score not provided in brief)
- **CWE:** CWE-200 (Information Exposure)
## Affected Systems
- **Products:** Drupal Date iCal module
- **Versions:** All versions prior to 4.0.15
- **Configurations:** Systems utilizing the Date iCal module for generating iCalendar feeds or handling date-related data integrations.
## Vulnerability Description
The Date iCal module for Drupal contains an information disclosure vulnerability. While the specific technical mechanism (e.g., improper access control or insecure direct object reference) is not detailed in the CCCS summary, the classification as "Critical" suggests that sensitive data may be exposed to unauthorized users through the iCalendar feeds or related processing functions.
## Exploitation
- **Status:** Not specified (Known vulnerability addressed by vendor)
- **Complexity:** Not specified
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Critical information disclosure)
- **Integrity:** Not specified
- **Availability:** Not specified
## Remediation
### Patches
The vendor has released an update to address this flaw. Administrators should upgrade to the following version:
- **Date iCal 4.0.15** or higher.
### Workarounds
- If immediate patching is not possible, disable the Date iCal module or restrict access to iCal feed URLs via web server configuration or Drupal permissions.
## Detection
- Review web server access logs for unusual requests to iCal feed endpoints.
- Monitor for unauthorized access to sensitive calendar data or user-specific scheduling information.
## References
- Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-03: hxxps[://]www[.]drupal[.]org/sa-contrib-2026-037
- Drupal Security Advisories: hxxps[://]www[.]drupal[.]org/security
- Canadian Centre for Cyber Security Advisory (AV26-463): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-463