PT-2026-2979 · Drupal+2 · Role Delegation+1

Adam Bramley

Published

2026-01-14

Updated

2026-02-11

CVE-2026-0945

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Drupal Role Delegation versions 1.3.0 through 1.4.9

Description A privilege escalation issue exists in the Role Delegation module. The module allows site administrators to grant specific roles the authority to assign selected roles to users, without needing the 'administer permissions' permission. A vulnerability allows a user with the ability to delegate a role to also assign the administrator role, even to their own user account. This is possible when the module is used with the Views Bulk Operations module and an attacker has access to a view of users with the Views Bulk Operations module enabled.

Recommendations Update to Role Delegation version 1.5.0 or later.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-267

Related Identifiers

CVE-2026-0945

DRUPAL-CONTRIB-2026-002

Affected Products

Role Delegation

Drupal/Role Delegation

PT-2026-2979 · Drupal+2 · Role Delegation+1

CVE-2026-0945

Weakness Enumeration

Related Identifiers

Affected Products

References · 6