Drupal 8 and 9 core - Less critical - Access bypass - SA-CORE-2020-006

Drupal Security

Project: Drupal core
Date: 2020-June-17
Security risk: Less critical 8∕25 
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665


JSON:API PATCH requests may bypass validation for certain fields.

By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.


Install the latest version:

If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8.
If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1.
If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1.

Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage. Sites on 8.7.x or earlier should update to 8.8.8.

We value your opinion. Please add your feedback.