CVE-2026-3573
Published: 26 March 2026
Summary
CVE-2026-3573 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Artificial Intelligence Project Artificial Intelligence. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces system-wide access control policies to prevent unauthenticated attackers from exploiting incorrect authorization for resource injection in the Drupal AI module.
Mandates timely remediation of identified flaws, such as patching vulnerable Drupal AI module versions before 1.1.11 or 1.2.12 as per the security advisory.
Implements least privilege to limit the scope of unauthorized resource access even if authorization enforcement partially fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an authz bypass in public-facing Drupal web app enabling remote unauthenticated access to sensitive resources (T1190 for initial exploitation of public-facing app; T1005 for resulting data access from local system resources).
NVD Description
Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12.
Deeper analysisAI
CVE-2026-3573 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal AI (Artificial Intelligence) module that allows Resource Injection. The issue affects all versions from 0.0.0 before 1.1.11 and from 1.2.0 before 1.2.12. Published on 2026-03-26, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its potential for confidential data exposure.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as unauthorized access to sensitive resources, without affecting integrity or availability.
The Drupal security advisory SA-CONTRIB-2026-028 at https://www.drupal.org/sa-contrib-2026-028 provides details on mitigation, including upgrade guidance to patched versions of the AI module.
This vulnerability occurs in a Drupal module handling artificial intelligence features, making it relevant for sites integrating AI functionalities. No public information on real-world exploitation is available in the provided details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, artificial intelligence, ai, artificial intelligence