Home / Threat Intelligence bulletins / Drupal releases security advisory to address vulnerability in Drupal core

Target Industry

Indiscriminate, opportunistic targeting.


Drupal has released patches to address a critical vulnerability impacting some older versions. A cyber attacker can exploit the vulnerability and take control of the affected system. It’s essential to take immediate action to secure your Drupal-based website.


If the exploitation by the attacker is successful then a threat actor can take control of the system and manipulate it by uploading malicious files to a Drupal site that uses REST or JSON APIs and bypass the file validation process.

Vulnerability Detection

Cache poisoning is where the attacker’s aim is to compromise the system, often with the goal of manipulating the data that is served from the cache. It can lead to various security issues including redirecting legitimate traffic to malicious websites, causing service disruption and delivering malicious content.

Affected Products

Drupal versions 8.9.x, 9.1.x, and 9.2.x.

Containment, Mitigations & Remediations

It is strongly recommended that users should take immediate action to fix the vulnerability with the latest versions of Drupal listed below:

  • Drupal 10.1, update to Drupal 10.1.4
  • Drupal 10.0, update to Drupal 10.0.11
  • Drupal 9.5, update to Drupal 9.5.11.

Users are also advised to update all versions of Drupal 9 prior to 9.5 as they are end-of-life. However, Drupal 7 is not affected.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Threat Landscape

Drupal is a popular open-source management system that runs millions of websites and applications. Drupal core is the main part of Drupal that offers the essential functionalities and features. A successful attacker can control the system upload and delete files leading to a compromise of the site or data. The mitigation has restricted the access administrative permission. Exploit paths for the same vulnerability may allow a user to write Twig templates with contributed and customised code.

Mitre Methodologies


TA0002 – Execution

Further Information

CISA (Drupal Releases Security Advisory to Address Vulnerability in Drupal Core | CISA) issued an alert to encourage users to review the Drupal security advisory and apply the necessary updates as soon as quick.

Drupal core – Critical – Cache poisoning – SA-CORE-2023-006 | Drupal.org


An Intelligence Terminology Yardstick to showing the likelihood of events