Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

Project: Automated LogoutDate: 2026-March-18Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-site request forgeryAffected versions: <1.7.0 || >=2.0.0 <2.0.2CVE IDs: CVE-2026-4393Description: This module provides a site administrator the ability to log users out after a specified time of inactivity.
The module doesn't sufficiently protect its routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.Solution: Install the latest version:

• If you use Automated Logout 8.x-1.x version 8.x-1.6 or lower, upgrade to autologout 8.x-1.7.
• If you use Automated Logout 2.x version 2.0.1 or lower, upgrade to autologout 2.0.2.

Reported By: 

• Pierre Rudloff (prudloff)

Fixed By: 

• Ajit Shinde (ajits)
• Jakob P (japerry)
• Gareth Alexander (the_g_bomb)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team