CVE-2025-31673 is an Incorrect Authorization vulnerability (CWE-863) affecting multiple versions of Drupal core, specifically from versions 8.0.0 before 10.3.13, 10.4.0 before 10.4.3, 11.0.0 before 11.0.12, and 11.1.0 before 11.1.3. The vulnerability enables Forceful Browsing, a technique where an attacker can bypass authorization controls to access resources or pages that should be restricted. This occurs due to improper enforcement of access control policies within Drupal's core authorization mechanisms. The vulnerability requires the attacker to have some level of privileges (as indicated by the CVSS vector requiring PR:L, meaning low privileges), and user interaction is necessary (UI:R). The attack vector is network-based (AV:N), and the vulnerability does not affect availability but impacts confidentiality and integrity to a limited extent (C:L/I:L/A:N). The vulnerability is classified as medium severity with a CVSS score of 4.6. No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of this report. The issue affects a broad range of Drupal core versions, which is a widely used content management system (CMS) for websites and web applications, including many enterprise and government sites. The flaw could allow unauthorized users with limited privileges to access or manipulate content or configuration data beyond their authorization, potentially leading to data leakage or unauthorized modifications within affected Drupal installations.

For European organizations, the impact of this vulnerability can be significant given Drupal's widespread adoption across public sector websites, educational institutions, and private enterprises. Unauthorized access through forceful browsing could lead to exposure of sensitive information, unauthorized content changes, or access to administrative functions depending on the site's configuration. This could undermine trust, lead to data privacy violations under GDPR, and disrupt business operations or public services. Although the vulnerability does not directly impact availability, the integrity and confidentiality breaches could have cascading effects, such as reputational damage, regulatory penalties, and increased risk of further exploitation if attackers leverage the unauthorized access to escalate privileges or implant malicious content. Organizations relying on Drupal for critical web infrastructure should consider this a medium risk but with potential for escalation if combined with other vulnerabilities or misconfigurations.

Apply official Drupal core updates to versions 10.3.13, 10.4.3, 11.0.12, or 11.1.3 as soon as they become available to remediate the authorization flaw. Implement strict access control policies and review user roles and permissions to minimize the number of users with elevated privileges that could exploit this vulnerability. Use web application firewalls (WAFs) with custom rules to detect and block suspicious forceful browsing attempts targeting Drupal endpoints. Conduct thorough security audits and penetration testing focusing on authorization mechanisms and access control enforcement within Drupal sites. Monitor web server and Drupal logs for unusual access patterns indicative of forceful browsing or privilege misuse. Isolate critical Drupal instances behind VPNs or restrict access to trusted IP ranges where feasible to reduce exposure. Educate site administrators and developers on secure configuration practices and the importance of timely patching for Drupal core components.