Primary

Context

Drupal Date iCal Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

Patched

A missing authorization vulnerability has been identified in the Drupal Date iCal module, versions prior to 4.0.15. This vulnerability allows forceful browsing by not adequately checking access permissions for entities or fields when generating iCal feeds. As a result, all anonymous users can access these routes without any configuration required, leading to potential information disclosure.

Impact

Exploitation of this vulnerability could result in unauthorized access to entity date fields, allowing sensitive information to be exposed through iCal feeds.

Remediation

Users of the Date iCal module for Drupal 10/11 should upgrade to Date iCal version 4.0.15.

Added: May 19, 2026, 11:18 PM

Updated: May 19, 2026, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal Date iCal Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

Impact

Remediation

Affected Products

Drupal Date iCal

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating