Drupal Security Team Issues Critical Advisory for Date iCal Module Vulnerability
Users of the Date iCal contributed module are being urged to update to version 4.0.15 after the Drupal Security Team disclosed a critical information disclosure vulnerability affecting all earlier releases. Tracked as CVE-2026-8495, the flaw could allow anonymous users to access restricted information through publicly accessible iCal feeds.
Date iCal is a contributed Drupal module that enables entities with date fields to be exported as iCalendar feeds. According to security advisory SA-CONTRIB-2026-037, the module does not sufficiently verify entity and field access permissions when generating feeds and does not adequately sanitise user input. The advisory states that the affected routes are accessible to anonymous users by default and that the issue is not mitigated by permissions or additional configuration.
The Drupal Security Team has classified the vulnerability as Critical and identified it as an information disclosure issue. The advisory notes that the weakness could expose information that should otherwise remain restricted. The vulnerability has also been assigned a CVSS score of 9.8, reflecting the severity of the issue and the lack of authentication requirements for exploitation.
Administrators using the Date iCal module on Drupal 10 or Drupal 11 are advised to upgrade immediately to Date iCal 4.0.15, which contains the security fix. Organisations may also wish to review access logs for unexpected requests to iCal feed endpoints while applying updates.
The vulnerability was reported by Drew Webber (mcdruid) of the Drupal Security Team and fixed by Joël Pittet (joelpittet). Coordination was provided by Greg Knaddison (greggles), Dave Long (longwave), Juraj Nemec (poker10), and Webber on behalf of the Drupal Security Team.
References
-
CRITICAL VULNERABILITY ALERT (30 May 2026)


