Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.

Affected Packages

Packagist drupal/core

Affected versions: 8.0.0 (fixed in 8.9.19)

Packagist drupal/core

Affected versions: 9.1.0 (fixed in 9.1.13)

Packagist drupal/core

Affected versions: 9.2.0 (fixed in 9.2.6)

Related CVEs

CVE-2020-13677

Key Information

GHSA ID

GHSA-3xr3-phjp-g6p2

Published

February 12, 2022 12:00 AM

Last Modified

October 4, 2023 2:45 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

drupal/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.