Cyber Resilience

CVE-2026-0945

High

Published: 04 February 2026

Published
04 February 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 12.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0945 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Role Delegation Project Role Delegation. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0945 is a Privilege Defined With Unsafe Actions vulnerability in the Drupal Role Delegation module that allows privilege escalation. This issue affects Role Delegation versions from 1.3.0 up to but not including 1.5.0. The vulnerability is associated with CWE-267 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact disruption to confidentiality, integrity, and availability within the unchanged scope, facilitating privilege escalation.

The Drupal security advisory SA-CONTRIB-2026-002, available at https://www.drupal.org/sa-contrib-2026-002, provides further details on mitigation steps.

EU & UK References

Vulnerability details

Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation.This issue affects Role Delegation: from 1.3.0 before 1.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation vulnerability exploitable by low-privileged authenticated users over the network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-41244Shared CWE-267
CVE-2026-23526Shared CWE-267
CVE-2026-29646Shared CWE-267
CVE-2026-2460Shared CWE-267
CVE-2025-23015Shared CWE-267
CVE-2026-27314Shared CWE-267
CVE-2025-14349Shared CWE-267
CVE-2024-55968Shared CWE-267
CVE-2026-2459Shared CWE-267
CVE-2026-42406Shared CWE-267

Affected Assets

role delegation project
role delegation
8.x-1.3 — 8.x-1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like the unsafe privilege actions in the Drupal Role Delegation module, directly preventing exploitation via patching to version 1.5.0.

prevent

Enforces least privilege by limiting user roles to only essential permissions, mitigating privilege escalation from unsafe actions defined in the vulnerable module.

prevent

Provides processes for managing accounts, roles, and privileges, enabling review and restriction of unsafe permissions granted by the Role Delegation module.

References