CVE-2025-14472 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Acquia Content Hub module of Drupal, a widely used content management system. The affected versions include all releases from 0.0.0 up to but not including 3.6.4, and from 3.7.0 up to but not including 3.7.3. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request, which the server trusts as legitimate. In this case, the vulnerability allows an attacker to induce authenticated users of Drupal sites that use Acquia Content Hub to perform unintended actions, such as modifying content or configuration, without their knowledge or consent. The CVSS 3.1 base score of 8.1 reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The impact on confidentiality and integrity is high (C:H, I:H), while availability is not affected (A:N). The vulnerability does not require the attacker to be authenticated, but the victim must be logged into the vulnerable Drupal site. No public exploits have been reported yet, but the high severity and widespread use of Drupal make this a significant risk. The vulnerability stems from insufficient anti-CSRF protections in the Acquia Content Hub module, allowing malicious cross-site requests to bypass security controls. The issue was reserved in December 2025 and published in January 2026. Since Acquia Content Hub is used for content syndication and sharing across Drupal sites, exploitation could lead to unauthorized content changes or data leakage across interconnected sites.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of web content managed via Drupal Acquia Content Hub. Organizations relying on this module for content distribution or synchronization could face unauthorized content modifications, potentially leading to misinformation, reputational damage, or data breaches. Given the network attack vector and lack of required privileges, attackers can target any authenticated user, increasing the attack surface. Public-facing Drupal sites in sectors such as government, finance, healthcare, and media are particularly at risk due to the sensitivity of their content and regulatory requirements like GDPR. Unauthorized content changes could also facilitate phishing or malware distribution campaigns. Although availability is not impacted, the integrity and confidentiality breaches could result in compliance violations and financial losses. The absence of known exploits in the wild provides a window for proactive mitigation, but the high CVSS score underscores the urgency. The interconnected nature of Acquia Content Hub deployments means a successful attack could propagate malicious changes across multiple sites, amplifying the impact.

European organizations should immediately verify their Drupal Acquia Content Hub versions and upgrade to versions 3.6.4 or later, or 3.7.3 or later, where the vulnerability is patched. If upgrading is not immediately possible, implement strict CSRF token validation on all forms and state-changing requests within the Content Hub module. Employ Content Security Policy (CSP) headers to restrict the origins that can interact with the site, reducing the risk of malicious cross-site requests. Enforce secure cookie attributes (HttpOnly, Secure, SameSite=strict) to limit cookie exposure. Conduct thorough audits of user permissions to minimize the number of users with content modification rights, reducing potential attack impact. Monitor web server logs and Drupal audit logs for unusual or unauthorized content changes. Educate users about the risks of interacting with suspicious links while authenticated. Consider deploying web application firewalls (WAFs) with custom rules to detect and block CSRF attack patterns targeting Acquia Content Hub endpoints. Finally, maintain an incident response plan tailored to web application compromises involving content management systems.