Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

Project: Next.js
Version: 1.2.0, 1.1.0, 1.0.0
Date: 2022-September-07
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass


The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.

The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.


If you use the Next.js module for Drupal 9.x:

  1. Upgrade to version v1.3.0.
  2. Edit the Next.js user and assign all roles that can be used as scopes. The granted roles will be filtered based on roles assigned to the current user.

See the upgrade guide at

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.