vulnerability
Drupal Drupal: CVE-2023-5256: Exposure of Sensitive Information to an Unauthorized Actor
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:S/C:C/I:C/A:C) | Sep 28, 2023 | Sep 22, 2025 | Dec 1, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
Published
Sep 28, 2023
Added
Sep 22, 2025
Modified
Dec 1, 2025
Description
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
Solution
drupal-upgrade
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.