CVE-2026-0944

🗓️ 04 Feb 2026 20:25:17Reported by drupalType

Moderately critical access bypass in group invites enables forceful browsing on Drupal versions before 2.3.9, 3.0.4, and 4.0.4.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-0944	4 Feb 202620:25	–	attackerkb
CNNVD	Drupal Group invite 安全漏洞	4 Feb 202600:00	–	cnnvd
Cvelist	CVE-2026-0944 Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001	4 Feb 202620:25	–	cvelist
Drupal	Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001	14 Jan 202600:00	–	drupal
EUVD	EUVD-2026-5346	4 Feb 202620:25	–	euvd
NVD	CVE-2026-0944	4 Feb 202621:15	–	nvd
OSV	DRUPAL-CONTRIB-2026-001	14 Jan 202617:53	–	osv
Positive Technologies	PT-2026-2978	14 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-0944	6 Feb 202601:26	–	redhatcve
Vulnrichment	CVE-2026-0944 Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001	4 Feb 202620:25	–	vulnrichment

NVD

Node

metadrop group_inviteRange<2.3.9drupal

metadrop group_inviteRange3.0.0–3.0.4drupal

metadrop group_inviteRange4.0.0–4.0.4drupal

[
  {
    "collectionURL": "https://www.drupal.org/project/ginvite",
    "defaultStatus": "unaffected",
    "product": "Group invite",
    "repo": "https://git.drupalcode.org/project/ginvite",
    "vendor": "Drupal",
    "versions": [
      {
        "lessThan": "2.3.9",
        "status": "affected",
        "version": "0.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.0.4",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.0.4",
        "status": "affected",
        "version": "4.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
drupal	www.drupal.org/sa-contrib-2026-001

11 Feb 2026 19:19Current

5.3Medium risk

Vulners AI Score5.3

CVSS 3.15.3

EPSS0.00043

SSVC

CWE-754