CVE-2026-10768
Drupal · LocalGov Workflows
A missing authorization vulnerability in the Drupal LocalGov Workflows module allows unauthorized users to access restricted resources via forceful browsing.
Executive summary
The Drupal LocalGov Workflows module is susceptible to a critical missing authorization flaw that allows unauthenticated attackers to bypass access controls.
Vulnerability
This vulnerability is caused by missing authorization checks, which permits unauthenticated attackers to perform forceful browsing. This allows access to sensitive workflow data or administrative functions that should be restricted.
Business impact
With a CVSS score of 9.8, this vulnerability represents a critical risk to data confidentiality and integrity. Successful exploitation could allow an attacker to view or modify sensitive administrative workflows, potentially leading to unauthorized data exposure or complete compromise of the application's workflow management system.
Remediation
Immediate Action: Update the Drupal LocalGov Workflows module to version 1.6.0 or later immediately to apply the necessary authorization checks.
Proactive Monitoring: Monitor application access logs for unexpected attempts to access administrative paths or workflow-related objects by unprivileged users.
Compensating Controls: Implement strict access control lists at the web server or WAF level to restrict access to sensitive module paths until the update is applied.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
This vulnerability is highly critical and should be treated with the utmost urgency. Administrators must prioritize updating to version 1.6.0 or later to ensure that proper authorization logic is enforced and to prevent unauthorized access to sensitive system resources.