CVE-2026-1553

Name of the Vulnerable Software and Affected Versions Drupal Canvas versions prior to 1.0.4

Description The Drupal Canvas module has an authorization issue that allows forceful browsing of Canvas Pages when they are unpublished. The module does not adequately validate access to Canvas Pages, potentially allowing unauthorized access. This is mitigated by the fact that content moderation is not enabled by default and archiving is not a feature of the module.

Recommendations Update to Drupal Canvas version 1.0.4 or later.