"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

Wed, 2026-02-25 10:43 — Anonymous (not verified)

Project: Material IconsDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <2.0.4CVE IDs: CVE-2026-3210Description: This module enables you to add icons to CKEditor.
The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios.Solution: Install the latest version and review permissions:

If you use the Material Icons module for Drupal, upgrade to Material Icons 2.0.4.
Assign the newly created "use material icons" permission to users who should have access to the widgets.

Reported By:

Jen M (jannakha)

Fixed By:

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Ra Mänd (ram4nd), provisional member of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-011

Search form

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011