PatchSiren cyber security CVE debrief
CVE-2026-8495 Drupal CVE debrief
CVE-2026-8495 is a critical missing-authorization issue in Drupal Date iCal that can allow forceful browsing of content or endpoints that should not be accessible without proper authorization. The advisory states that Date iCal versions from 0.0.0 before 4.0.15 are affected. Because the CVSS vector is network-reachable and requires no privileges or user interaction, affected deployments should treat this as an urgent patching item. The official vulnerability record was published on 2026-05-19 and later modified on 2026-05-20.
- Vendor
- Drupal
- Product
- Date iCal
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Drupal administrators, site owners, and security teams responsible for environments using Date iCal. This is especially important for sites exposing calendar, feed, or other content endpoints where authorization is expected to restrict access.
Technical summary
The issue is described as a missing authorization weakness that permits forceful browsing, which maps to CWE-862. In practical terms, this means access control checks are insufficient or bypassable for some Date iCal resources, potentially allowing unauthenticated users to retrieve restricted information or interact with protected functionality. The provided CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation without authentication or user interaction and potentially severe confidentiality, integrity, and availability impact. The affected range is Date iCal from 0.0.0 before 4.0.15, with remediation indicated by upgrading to 4.0.15 or later.
Defensive priority
Urgent. The combination of missing authorization, network reachability, no privileges required, and critical impact makes this a high-priority remediation item for any exposed Drupal Date iCal deployment.
Recommended defensive actions
- Upgrade Drupal Date iCal to version 4.0.15 or later as soon as possible.
- Inventory all Drupal instances to confirm whether Date iCal is installed and whether vulnerable versions are in use.
- Review any exposed calendar or feed endpoints for unintended public access and validate authorization controls.
- Restrict exposure of affected functionality until patching is complete, especially on internet-facing sites.
- Check application and web access logs for unexpected requests to Date iCal-related resources after the advisory date.
- Re-test access controls after remediation to confirm unauthorized browsing is no longer possible.
Evidence notes
This debrief is based only on the supplied CVE/NVD record and the referenced Drupal.org advisory. The record lists the issue as a missing authorization vulnerability enabling forceful browsing, with weakness CWE-862 and a critical CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected version range is stated as Date iCal from 0.0.0 before 4.0.15. NVD marked the record as undergoing analysis at the time of the supplied modified timestamp.
Official resources
-
CVE-2026-8495 CVE record
CVE.org
-
CVE-2026-8495 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed on 2026-05-19 in the official CVE/NVD record, with a related Drupal.org security advisory referenced by NVD. The record was modified on 2026-05-20 and remained marked 'Undergoing Analysis' in the supplied source snapshot.