CVE-2026-3573
Published: 26 March 2026
Summary
CVE-2026-3573 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Artificial Intelligence Project Artificial Intelligence. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3573 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal AI (Artificial Intelligence) module that allows Resource Injection. The issue affects all versions from 0.0.0 before 1.1.11 and from 1.2.0 before 1.2.12. Published on 2026-03-26, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for confidential data exposure.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as unauthorized access to sensitive resources, without affecting integrity or availability.
The Drupal security advisory SA-CONTRIB-2026-028 at https://www.drupal.org/sa-contrib-2026-028 provides details on mitigation, including upgrade guidance to patched versions of the AI module.
This vulnerability occurs in a Drupal module handling artificial intelligence features, making it relevant for sites integrating AI functionalities. No public information on real-world exploitation is available in the provided details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16391
Vulnerability details
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, artificial intelligence
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an authz bypass in public-facing Drupal web app enabling remote unauthenticated access to sensitive resources (T1190 for initial exploitation of public-facing app; T1005 for resulting data access from local system resources).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces system-wide access control policies to prevent unauthenticated attackers from exploiting incorrect authorization for resource injection in the Drupal AI module.
Mandates timely remediation of identified flaws, such as patching vulnerable Drupal AI module versions before 1.1.11 or 1.2.12 as per the security advisory.
Implements least privilege to limit the scope of unauthorized resource access even if authorization enforcement partially fails.