CVE-2026-0945 identifies a privilege escalation vulnerability in the Drupal Role Delegation module, specifically affecting versions from 1.3.0 before 1.5.0. The vulnerability stems from a CWE-267 weakness, where privileges are defined with unsafe actions, leading to improper access control enforcement. Role Delegation is a module that allows site administrators to delegate role management capabilities to other users. Due to unsafe privilege definitions, an attacker with limited access can exploit this flaw to escalate their privileges beyond intended limits, potentially gaining administrative rights. This can compromise the confidentiality, integrity, and availability of the Drupal site. The vulnerability does not require known exploits in the wild yet, but its presence in a widely used CMS module makes it a significant risk. No CVSS score has been assigned, but the nature of the vulnerability suggests a high risk due to the potential for privilege escalation without complex exploitation steps. The issue was published on February 4, 2026, and no patch links are currently provided, indicating that users should monitor for updates and apply them promptly. The vulnerability affects only the Role Delegation module, not Drupal core, but given the module's role in permission management, the impact can be severe if exploited.

For European organizations, this vulnerability poses a significant risk to web applications running Drupal with the Role Delegation module in the affected versions. Successful exploitation can lead to unauthorized privilege escalation, allowing attackers to modify site content, access sensitive data, or disrupt services. This can result in data breaches, defacement, or loss of service continuity, impacting business operations and reputation. Organizations in sectors such as government, finance, healthcare, and critical infrastructure, which often rely on Drupal for public-facing websites and portals, are particularly vulnerable. The lack of known exploits currently reduces immediate risk, but the potential for rapid exploitation once public details are widely known is high. Additionally, compliance with GDPR and other data protection regulations may be jeopardized if personal data is exposed due to this vulnerability.

1. Immediately audit all Drupal installations to identify the use of the Role Delegation module and verify the version in use. 2. Upgrade the Role Delegation module to version 1.5.0 or later as soon as it becomes available, since this version is expected to address the vulnerability. 3. Until a patch is applied, restrict access to role delegation features to only the most trusted administrators and review all delegated roles for unnecessary privileges. 4. Implement strict monitoring and logging of role changes and administrative actions to detect suspicious activities early. 5. Conduct regular security assessments and penetration tests focusing on privilege escalation vectors within Drupal environments. 6. Educate site administrators about the risks of privilege delegation and enforce the principle of least privilege. 7. Follow Drupal security advisories closely for updates or patches related to this vulnerability.