Drupal Security Team Issues Critical Advisory for Date iCal Module Vulnerability

Poster for iCal Security Vulnerability

Users of the Date iCal contributed module are being urged to update to version 4.0.15 after the Drupal Security Team disclosed a critical information disclosure vulnerability affecting all earlier releases. Tracked as CVE-2026-8495, the flaw could allow anonymous users to access restricted information through publicly accessible iCal feeds.

Date iCal is a contributed Drupal module that enables entities with date fields to be exported as iCalendar feeds. According to security advisory SA-CONTRIB-2026-037, the module does not sufficiently verify entity and field access permissions when generating feeds and does not adequately sanitise user input. The advisory states that the affected routes are accessible to anonymous users by default and that the issue is not mitigated by permissions or additional configuration.

The Drupal Security Team has classified the vulnerability as Critical and identified it as an information disclosure issue. The advisory notes that the weakness could expose information that should otherwise remain restricted. The vulnerability has also been assigned a CVSS score of 9.8, reflecting the severity of the issue and the lack of authentication requirements for exploitation.

Administrators using the Date iCal module on Drupal 10 or Drupal 11 are advised to upgrade immediately to Date iCal 4.0.15, which contains the security fix. Organisations may also wish to review access logs for unexpected requests to iCal feed endpoints while applying updates.

The vulnerability was reported by Drew Webber (mcdruid) of the Drupal Security Team and fixed by Joël Pittet (joelpittet). Coordination was provided by Greg Knaddison (greggles), Dave Long (longwave), Juraj Nemec (poker10), and Webber on behalf of the Drupal Security Team.

Disclosure: This content is produced with the assistance of AI.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.

Upcoming Events