Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
Project: Theme Negotiation by RulesDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site request forgeryAffected versions: <1.2.1CVE IDs: CVE-2026-3211Description: This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.
The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.
This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.Solution: Install the latest version:
- If you use the Theme Negotiation by Rules module, upgrade to Theme Negotiation by Rules 1.2.1.
Reported By:
- Juraj Nemec (poker10) of the Drupal Security Team
Fixed By:
- Zoltan Attila Horvath (huzooka)
- Juraj Nemec (poker10) of the Drupal Security Team
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
