The Drupal Automated Logout module contains a CSRF vulnerability (CWE-352) identified as CVE-2026-4393. It affects versions prior to 1.7.0 in the 0.x series and prior to 2.0.2 in the 2.x series. The vulnerability allows attackers to induce authenticated users to perform logout actions without their consent, potentially disrupting user sessions. The CVSS 3.1 base score is 4.3, reflecting network attack vector, low complexity, no privileges required, user interaction required, unchanged scope, and impact limited to availability (no confidentiality or integrity impact). No patch or official remediation details are provided in the input data.

The impact is limited to availability, specifically causing unintended user logouts. There is no impact on data confidentiality or integrity. No known active exploitation has been reported. The vulnerability could be leveraged to disrupt user sessions by forcing logouts via CSRF attacks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor the Drupal project for updates to the Automated Logout module. Until a fix is available, consider implementing CSRF protections at the application or web server level if possible, or restrict access to the logout functionality to trusted users. Avoid relying solely on this module for session management in sensitive environments until the issue is resolved.