CVE-2026-55803 in Drupal
Summary
by MITRE • 07/11/2026
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
This vulnerability represents a critical flaw in Drupal core's object handling mechanisms that enables unauthorized modification of dynamically determined object attributes through improper access control measures. The issue stems from insufficient validation and sanitization of user-supplied input that influences object properties during runtime execution, creating opportunities for malicious actors to inject or manipulate object state information. Such flaws typically arise when applications fail to properly validate or escape data that flows into object attribute assignments, particularly in contexts where dynamic object construction occurs based on external input sources.
The technical implementation of this vulnerability allows attackers to exploit the lack of proper validation controls during object attribute modification processes, potentially leading to object injection attacks that can compromise application integrity and security. This weakness specifically affects Drupal core versions across multiple release streams, including the 10.x series up to 10.5.12, 10.6.0 through 10.6.11, 11.2.0 through 11.2.14, 11.3.0 through 11.3.12, and various versions within the 11.0.x and 11.1.x release branches. The vulnerability manifests when user input influences object attribute determination without adequate sanitization or access control enforcement, creating pathways for attackers to manipulate object state information in ways that were not intended by the application design.
The operational impact of this vulnerability extends beyond simple data manipulation, potentially enabling attackers to achieve unauthorized code execution, privilege escalation, or complete system compromise depending on the specific implementation context. When exploited successfully, this flaw can allow malicious users to inject arbitrary objects into the application's runtime environment, potentially leading to remote code execution scenarios or data integrity violations. The implications are particularly severe in web applications that rely heavily on dynamic object creation and attribute assignment mechanisms, as these systems become vulnerable to injection attacks that bypass traditional input validation controls.
Security mitigations for this vulnerability require immediate patching of affected Drupal core versions to address the improper access control mechanisms that permit unauthorized modification of dynamically determined object attributes. Organizations should implement comprehensive input validation and sanitization procedures that enforce strict access controls during object attribute assignment operations, ensuring that all external data flows are properly validated before being used in dynamic object construction contexts. Additionally, security teams should conduct thorough code reviews focusing on object manipulation patterns and implement runtime monitoring to detect anomalous object attribute modifications that may indicate exploitation attempts.
This vulnerability aligns with CWE-915 which specifically addresses improper control of dynamically-determined object attributes, and represents a significant concern within the ATT&CK framework under the privilege escalation and code injection categories. The remediation approach should include not only immediate patch deployment but also comprehensive security awareness training for developers regarding proper object handling practices and the implementation of automated static analysis tools to identify similar patterns in application codebases. Organizations must prioritize updating their Drupal installations to versions that have addressed this specific weakness, as continued operation on vulnerable releases exposes systems to potential exploitation by threat actors targeting these known vulnerabilities.