Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass.
Sites that do not have the JSON:API module enabled are not affected.
This advisory is not covered by Drupal Steward.
Install the latest version:
If you are using Drupal 9.2, update to Drupal 9.2.6.
If you are using Drupal 9.1, update to Drupal 9.1.13.
If you are using Drupal 8.9, update to Drupal 8.9.19.
Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage.
Drupal 7 core does not include the JSON:API module and therefore is not affected.
More Stories
firefox-138.0.3-1.fc40
FEDORA-2025-cc8d7b6c6d Packages in this update: firefox-138.0.3-1.fc40 Update description: New upstream update (138.0.3) Update to latest upstream (138.0) Read More
USN-7506-4: Linux kernel (Xenial HWE) vulnerabilities
Demi Marie Obenour and Simon Gaiser discovered that several Xen para- virtualization device frontends did not properly restrict the access...
xen-4.19.2-4.fc42
FEDORA-2025-b3d59fca78 Packages in this update: xen-4.19.2-4.fc42 Update description: x86: Indirect Target Selection [XSA-469, CVE-2024-28956] Read More
perl-Mojolicious-9.39-1.fc41
FEDORA-2025-c38fd06bec Packages in this update: perl-Mojolicious-9.39-1.fc41 Update description: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded...
perl-Mojolicious-9.39-1.fc40
FEDORA-2025-0e7fe5534f Packages in this update: perl-Mojolicious-9.39-1.fc40 Update description: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded...
znc-1.8.2-16.el8
FEDORA-EPEL-2025-ad4c7abaa9 Packages in this update: znc-1.8.2-16.el8 Update description: CVE-2024-39844 Read More