PT-2026-55224 · Drupal+1 · Flowdrop+1

Aincient Labs

+5

·

Published

2026-07-01

·

Updated

2026-07-10

·

CVE-2026-58589

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions FlowDrop versions 0.0.0 through 1.6.0
Description A missing authorization issue allows forceful browsing. The module, which enables testing and running AI-driven workflows via a chat interface, fails to sufficiently enforce permissions on certain endpoints. This may allow attackers to trigger workflow execution, resulting in LLM (Large Language Model) costs and tool side effects, or enable them to send messages into sessions belonging to other users. This issue is mitigated if the attacker does not possess the "View any session" permission, which is not granted to anonymous or authenticated users by default.
Recommendations Update FlowDrop to a version later than 1.6.0. Restrict the "View any session" permission to prevent unauthorized users from accessing the affected endpoints.

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58589
DRUPAL-CONTRIB-2026-067

Affected Products

Flowdrop
Drupal/Flowdrop