Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor


Severity High
Score 7.5/10


In certain scenarios, Drupal's "JSON:API" module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the "JSON:API" module enabled, and can be mitigated by uninstalling "JSON:API". The core REST and contributed GraphQL modules are not affected. This vulnerability affects drupal in versions 8.7.0-beta1 through 9.5.10, 10.0.0 through 10.0.10, and 10.1.0 through 10.1.3.

  • HIGH
  • HIGH
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

Advisory Timeline

  • Published