Drupal Modules: Critical Vulnerability Leading to Code Execution (CVE-2026-9726) and Information Disclosure (CVE-2026-10768)
This text was generated using artificial intelligence (AI).In late May and early June 2026, the Drupal Security Team published two security advisories for widely used contributed modules. The vulnerabilities affect the following modules: AlternativeCommerce (Basket) and LocalGov Workflows. One of the vulnerabilities, CVE-2026-9726, is classified as high severity and allows for the execution of arbitrary code. Security updates are available for both vulnerabilities, and installing them is a high priority for operators of Drupal instances.
Moderate vulnerability: CVE-2026-10768 in drupal/localgov_workflows
Risk: Information Disclosure (Drupal Risk Score: 14/25)
Affected versions: All before 1.6.0
Fixed in: Version 1.6.0
Technical Findings: From Code Execution to Data Leaks
The two vulnerabilities differ significantly in their technical nature and potential impact.
CVE-2026-9726: PHP Object Injection in the Basket Module
The vulnerability in the module, which is classified as highly critical, AlternativeCommerce (Basket) is caused by insufficient validation of user-provided serialized data. Before this data is passed to the PHP function unserialize() If the data is passed on without sufficient sanitization, this enables an attack via PHP object injection. An attacker can send specially crafted data to the system to execute arbitrary PHP code on the server if a suitable gadget chain is present in the code. This can lead to the complete compromise of the system. The advisory SA-CONTRIB-2026-038 was published on May 27, 2026, and fixed by Drew Webber (mcdruid) and Helena Zajika; the vulnerability was also reported by Drew Webber (mcdruid).
The Drupal Security Team rates this risk as 22 out of 25 points. The weight vector (AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All) illustrates the danger: The attack requires no special preparation or authentication and can compromise the confidentiality and integrity of the entire application.
CVE-2026-10768: Information Leak in LocalGov Workflows
The second vulnerability in the module LocalGov Workflows is used with 14 out of 25 points Rated as moderately critical. This vulnerability involves insufficient access control on a view that displays service contacts. Unauthorized users can thereby view the names of contacts and the content associated with them. Although this vulnerability does not allow for direct code execution, the exposed information can be exploited for social engineering attacks or to prepare more complex attacks. The advisory SA-CONTRIB-2026-039 was published on June 3, 2026; reported by Maria Young (maria.y), fixed by Finn Lewis and Rupert Jabelman, and coordinated by Greg Knaddison (greggles) of the Drupal Security Team.
Action Required: Apply Patches and Test
For both vulnerabilities, the recommended action is to immediately install the security updates provided. Both advisories list the exploitability parameter E:Theoretical — There are no known active exploits to date; however, the public disclosure of the technical details increases the theoretical risk of an attack.
AlternativeCommerce (Basket): Operators must upgrade to version 2.1.17 or update to a newer version. If an immediate update is not possible, the module should be temporarily disabled to minimize the risk of an attack.
LocalGov Workflows: An upgrade to version 1.6.0 or later closes the information leak.
Companies should use this incident as an opportunity to conduct a comprehensive inventory of all Drupal modules in use and review their patch management process.
DACH and EU Context
For operators in Germany, Austria, and Switzerland, two regulatory aspects are particularly relevant. First, the disclosure of names and associated content enabled by CVE-2026-10768 may involve personal data. In this case, the reporting requirement under Art. 33 of the GDPR: Data controllers must report a data breach to the competent supervisory authority within 72 hours. Second, operators of critical infrastructure and public authorities that fall under the NIS-2 Directive are required to demonstrate active patch management for the software components they use—promptly addressing CVE-2026-9726 and CVE-2026-10768 is therefore necessary not only from a technical standpoint but also to ensure compliance. The BSI generally recommends installing available security updates for exposed web applications without undue delay.
Visibility and Control with EASM and C-SRM
Managing systems such as Drupal highlights two key challenges in modern IT security: maintaining control over one's own externally accessible infrastructure and managing risks in the supply chain.
Understanding External Attack Vectors (EASM): Drupal instances, especially those with a large number of contrib modules, can quickly become a complex part of the external attack surface. Shadow IT, forgotten subdomains, or uninventoried cloud assets—such as staging environments that have remained publicly accessible—often fall outside the scope of centralized patch management. An External Attack Surface Management (EASM) platform like LocateRisk continuously identifies all of a company’s publicly accessible systems, including web applications. This makes it possible to determine where Drupal is being used and whether potentially vulnerable components are exposed. This provides the necessary transparency to roll out patches in a targeted and comprehensive manner.
Managing Supply Chain Risks (C-SRM): Websites are often managed by external service providers, such as marketing or web agencies. If their Drupal instance is affected by CVE-2026-9726, this poses a direct risk to your company. Continuous Supply Chain Risk Management (C-SRM) automatically and continuously assesses the security of your suppliers. If a partner’s security rating drops due to a critical, unpatched vulnerability, you will receive an alert and can proactively demand corrective action. This supports compliance with requirements such as NIS-2 or ISO 27001, which mandate active management of supply chain risks.
The LocateRisk solution offers a „Made in Germany“ platform that is hosted in certified German data centers, helps ensure compliance with GDPR requirements, and significantly reduces the risk of exposure to the U.S. Cloud Act.
PHP object injection occurs when an application passes user-supplied data to a PHP function without sufficient validation unserialize() passes. An attacker can exploit this to inject specially crafted objects. If a suitable gadget chain exists in the application code, this can lead to the execution of arbitrary PHP code on the server—in the worst case, resulting in the complete compromise of the Drupal instance (Drupal Risk Score 22/25, AC:None/A:None).
CVE-2026-9726 affects all versions of the module drupal/basket (AlternativeCommerce) before 2.1.17; the fixed version is 2.1.17. CVE-2026-10768 affects all versions of drupal/localgov_workflows before 1.6.0; the fixed version is 1.6.0. Both security updates are available for download on drupal.org.
For the Basket module, an immediate upgrade to version 2.1.17 or later is required. If an update is not possible in the short term, the Drupal Security Team recommends temporarily disabling the module to minimize the risk of attack. For LocalGov Workflows, upgrading to version 1.6.0 or newer. In addition, operators should take inventory of all installed Contrib modules and verify that their patch management process is up to date.
CVE Quick Check
In just a few minutes, check whether there are any indications of a current CVE on your externally visible attack surface.
A rough estimate in just a few minutes via email.
Learn more during a free consultation with a LocateRisk consultant.
You'll receive this by email
companyYour Company, LLC
Verified CVECVE-2024-3094
Passive Assessment
Information About the CVENotes found
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.