CVE-2026-55804 in Drupalinfo

Summary

by MITRE • 07/11/2026

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

This vulnerability represents a critical flaw in Drupal core's object handling mechanisms that enables unauthorized modification of dynamically determined object attributes through improper access controls. The issue stems from insufficient validation and sanitization of user-supplied input that gets processed as part of object attribute assignments, creating a pathway for malicious actors to inject arbitrary data into system objects. The vulnerability has been identified across multiple Drupal version ranges, indicating a widespread impact that spans from early releases through recent major versions, making it particularly concerning for organizations maintaining legacy systems.

The technical exploitation occurs when Drupal processes user input that influences object attribute names or values in dynamic contexts. This creates an object injection scenario where attackers can manipulate the internal state of objects through carefully crafted inputs that bypass normal access controls and validation mechanisms. The flaw specifically affects how Drupal core handles dynamically determined attributes, allowing malicious users to modify object properties that should remain protected or immutable. This vulnerability type maps directly to CWE-94, which describes "Improper Control of Generation of Code" and falls under the broader category of code injection vulnerabilities.

The operational impact of this vulnerability extends beyond simple data manipulation, as it can lead to complete system compromise when combined with other attack vectors. Attackers can leverage this weakness to escalate privileges, modify critical application components, or potentially execute arbitrary code within the Drupal environment. The vulnerability affects core object management functionality and can be particularly dangerous in multi-user environments where different roles have distinct permission levels. Given that Drupal powers millions of websites globally, the potential for widespread exploitation makes this a high-priority security concern for organizations maintaining web applications.

Organizations should implement immediate mitigations including applying the latest available security patches from Drupal core releases, implementing strict input validation at all application boundaries, and reviewing existing access control policies to ensure proper attribute-level permissions. Additional protective measures include deploying web application firewalls to monitor for suspicious input patterns, conducting thorough code reviews focusing on object attribute handling, and implementing runtime monitoring to detect anomalous object manipulation attempts. The vulnerability aligns with several ATT&CK techniques including privilege escalation and defense evasion, making comprehensive security monitoring essential for detection and response. Organizations should also consider implementing automated vulnerability scanning tools that can identify similar patterns in custom Drupal modules or third-party extensions that may be vulnerable to the same class of attack.

Responsible

Drupal

Reservation

06/17/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!