CVE-2026-13237

Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.

Credits

Andrew Belcher (andrewbelcher)
Rob Edwards (rob_e)
Andrew Belcher (andrewbelcher)
Marcus Johansson (marcus_johansson)
Rob Edwards (rob_e)
Bram Driesen (bramdriesen)
Greg Knaddison (greggles)
Drew Webber (mcdruid)
Juraj Nemec (poker10)

References