{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3216", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:32.261Z", "datePublished": "2026-03-25T15:24:17.937Z", "dateUpdated": "2026-03-26T14:41:26.753Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:17.937Z"}, "title": "Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017", "datePublic": "2026-02-25T18:51:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"vendor": "Drupal", "product": "Drupal Canvas", "collectionURL": "https://www.drupal.org/project/canvas", "repo": "https://git.drupalcode.org/project/canvas", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.<p>This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-017"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)", "type": "remediation developer"}, {"lang": "en", "value": "Ignacio S\u00c3\u00a1nchez Holgueras (isholgueras)", "type": "remediation developer"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "remediation developer"}, {"lang": "en", "value": "Narendra Singh Rathore (narendrar)", "type": "remediation developer"}, {"lang": "en", "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)", "type": "remediation developer"}, {"lang": "en", "value": "Tim Plunkett (tim.plunkett)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:13:57.967836Z", "id": "CVE-2026-3216", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:41:26.753Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:13:57.967836Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:14:14.588Z"}}], "cna": {"title": "Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "B\u00c3\u00a1lint Kl\u00c3\u00a9ri (balintbrews)"}, {"lang": "en", "type": "remediation developer", "value": "Ignacio S\u00c3\u00a1nchez Holgueras (isholgueras)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Narendra Singh Rathore (narendrar)"}, {"lang": "en", "type": "remediation developer", "value": "Christian L\u00c3\u00b3pez Esp\u00c3\u00adnola (penyaskito)"}, {"lang": "en", "type": "remediation developer", "value": "Tim Plunkett (tim.plunkett)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/canvas", "vendor": "Drupal", "product": "Drupal Canvas", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.1", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/canvas", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:51:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-017"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.<p>This issue affects Drupal Canvas: from 0.0.0 before 1.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:24:17.937Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3216", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:41:26.753Z", "dateReserved": "2026-02-25T16:59:32.261Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:24:17.937Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal Drupal Canvas allows Server Side Request Forgery.This issue affects Drupal Canvas: from 0.0.0 before 1.1.1."}], "id": "CVE-2026-3216", "lastModified": "2026-03-26T15:16:40.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:22.777", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-017"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Drupal Canvas", "source": "cna", "vendor": "Drupal"}, "product": "drupal_canvas", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T23:17:01.898376+00:00", "value": {"mitigation_remediation": ["Upgrade Drupal Canvas to version 1.1.1 or later.", "If an immediate upgrade is not possible, restrict outbound HTTP requests from the web server or firewall to mitigate further exploitation."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw affects Drupal Canvas versions from 0.0.0 through 1.1.0 inclusive, as documented by the Drupal community. Owners of sites running any of these releases are exposed until the vulnerability is mitigated.", "description_and_impact": "Drupal Canvas contains a server\u2011side request forgery vulnerability (CWE\u2011918) that allows an unauthenticated attacker to instruct the affected system to make arbitrary HTTP requests to internal or external resources. An attacker could disclose sensitive information, reach internal services, or otherwise manipulate the server\u2019s network connectivity by crafting malicious requests to the Canvas module. The vulnerability is limited to the request\u2011building logic and does not grant remote code execution, but the potential for information leakage makes it a noteworthy security concern.", "risk_and_exploitability": "The CVSS score of 4.3 rates the vulnerability as moderate. No EPSS score is provided, and the issue is not listed in the CISA KEV catalog, indicating that large\u2011scale exploitation has not been observed. The likely attack vector is through HTTP requests to the Canvas endpoint, requiring network visibility to the application. While exploitation does not require privileged access, the existence of SSRF can allow attackers to probe internal infrastructure and potentially exfiltrate data. Organizations should consider the risk of sensitive information leakage and the ease of access via publicly reachable web services."}}}}, "created": "2026-03-25T21:31:01.368933+00:00", "updated": "2026-03-26T12:13:20.564386+00:00", "vendors": ["drupal", "drupal$PRODUCT$drupal_canvas"]}