CVE-2026-13233
Drupal · OpenAI Provider
A Server-Side Request Forgery (SSRF) vulnerability in the Drupal OpenAI Provider module allows remote attackers to force the server to make unauthorized requests to internal or external resources.
Executive summary
The Drupal OpenAI Provider module contains a critical SSRF vulnerability that may allow attackers to bypass network controls and access internal services.
Vulnerability
This is a Server-Side Request Forgery (CWE-918) vulnerability caused by insufficient sanitization of user-supplied URLs. The vulnerability allows an authenticated attacker with specific permissions to manipulate host URLs to target internal network services or third-party systems.
Business impact
Successful exploitation of this vulnerability can lead to unauthorized access to internal network resources that are otherwise protected by firewalls. Given the CVSS score of 9.1, this is a critical risk that could result in sensitive data exposure or the lateral movement of an attacker within the organization's infrastructure.
Remediation
Immediate Action: Update the Drupal OpenAI Provider module to version 1.1.1 or 1.2.2 immediately to apply the necessary input validation patches.
Proactive Monitoring: Monitor server access and egress logs for unusual outbound requests originating from the web server, particularly those targeting internal IP ranges.
Compensating Controls: Implement strict egress filtering on the web server to block requests to internal network segments and unauthorized external destinations until the update is applied.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
Organizations utilizing the OpenAI Provider module for Drupal must prioritize this update. Despite the lack of confirmed active exploitation, the severity of SSRF vulnerabilities necessitates immediate patching to prevent potential internal network compromise.