CVE-2026-8495 · Missing Authorization vulnerability in Drupal Date iCal

01 · The Real Story

This is a side door left open on the calendar export, not a battering ram through the whole CMS

CVE-2026-8495 is a missing-authorization flaw in Drupal's Date iCal module that affects versions < 4.0.15. The module exposes iCal feed routes, and Drupal's advisory says those routes do not sufficiently check entity or field access and also mishandle user input while generating feeds. In plain English: an anonymous requester can hit a public .ics export path and receive calendar-backed content that should have been filtered or denied.

The vendor's CRITICAL 9.8 label overstates what defenders are actually dealing with. The important part is the advisory's own description: this is an information disclosure bug on a contributed module, not a proven RCE or broad platform compromise. Reality pushes severity down because the blast radius depends on who actually deployed Date iCal, whether sensitive content is exposed through those feeds, and whether the site even uses the vulnerable iCal routes externally.

"Internet-reachable and unauthenticated, but this is a niche Drupal module leaking data, not a server takeover."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Discover a live iCal export route with curl

The attacker starts by enumerating Drupal paths that expose Date iCal feeds, typically through public Views-based or route-based calendar exports. The module advisory explicitly says the vulnerable routes are accessible to anonymous users with no configuration-based permission barrier, so simple HTTP probing is enough.

Conditions required:

Target runs Drupal with the Date iCal module installed in a vulnerable version < 4.0.15
The iCal feed route is reachable from the attacker network path
The site actually uses the module to publish or expose calendar-backed content

Where this breaks in practice:

This is a contributed Drupal module, not core; the exposed population is much smaller than a core flaw
Many enterprises do not expose calendar export routes externally at all
Finding the exact feed URL may require route guessing, crawling, or knowledge of site structure

Detection/coverage: Commodity web scanners can flag vulnerable versions from package inventory, but route-level exposure usually needs authenticated app crawling, content discovery, or targeted DAST.

STEP 02

Bypass content checks by requesting the feed with curl or wget

Once the attacker reaches a vulnerable route, the bug is triggered by a normal unauthenticated HTTP request. Because entity or field access is not enforced correctly during iCal generation, the response may include items or fields that should not be visible to anonymous users.

Conditions required:

The feed renders entities or fields whose access should differ from anonymous access
The site maps sensitive event data into the feed output

Where this breaks in practice:

If the underlying events are already public, the leak is low-value
If feed definitions only include harmless metadata, impact is limited
Reverse proxies or auth gateways in front of Drupal may block direct access to the route

Detection/coverage: WAFs rarely catch this because the request can look like ordinary feed retrieval. High-signal detection comes from HTTP logs showing anonymous requests to .ics endpoints followed by unusually large content responses.

STEP 03

Harvest restricted event data with calendar tooling

The attacker can parse returned ICS content using standard tools like icalBuddy, python-icalendar, or custom scripts to extract titles, descriptions, locations, attendees, and dates. If unpublished or role-restricted event records are exposed, the result is quiet data leakage that may reveal internal schedules, names, or operational details.

Conditions required:

The leaked iCal content contains materially sensitive fields
The attacker can parse ICS output successfully

Where this breaks in practice:

Some feeds may contain only partial or sanitized event data
Organizations often underestimate the sensitivity of calendar metadata, but many feeds still do not contain credentials or direct secrets

Detection/coverage: Content-level exfiltration is hard to detect unless the organization already monitors access to calendar endpoints or correlates repeated anonymous ICS downloads.

STEP 04

Optional downstream abuse via calendar-client import

The advisory also mentions insufficient input sanitization during iCal generation. In the worst case, crafted values embedded in feed fields could create downstream parsing or content-injection issues in consuming calendar clients, but the primary documented impact remains information disclosure.

Conditions required:

An attacker can influence event content rendered into the feed
A downstream user or system imports the malicious ICS output

Where this breaks in practice:

This requires a second-stage consumer, so it is not a one-request server-side compromise
No primary-source evidence reviewed shows public weaponization of this secondary path for code execution

Detection/coverage: Application scanners may miss client-side ICS abuse paths entirely. Treat this as speculative tail risk unless your environment has automated ICS consumers.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence in the reviewed sources that `CVE-2026-8495` is being actively exploited in the wild, and it is not listed in CISA KEV.
Public PoC availability	I did not find a public exploit or Metasploit module in the reviewed sources. Reproduction appears straightforward with `curl` once a vulnerable feed URL is known, but there is no authoritative public weaponization reference in the primary sources reviewed.
EPSS	`0.00054` per the intel provided and reflected by secondary aggregation sources; that is extremely low and consistent with a niche-module bug rather than an internet-wide exploitation magnet.
KEV status	Not in KEV as of the reviewed CISA catalog; no CISA date-added entry exists for this CVE.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` from the NVD-linked record. The `AV:N/PR:N/UI:N` part fits the anonymous web exposure, but the `I:H/A:H` impact looks inflated for a flaw Drupal itself labels as information disclosure.
Affected versions	Drupal advisory and CVE records say `Date iCal < 4.0.15` is affected.
Fixed version	Upgrade to `Date iCal 4.0.15` on supported Drupal 10/11/12 branches. I did not find distro backport guidance in the reviewed sources.
Exposure / footprint	Drupal usage stats showed about 6,794 total reporting installs for the project and about 568-569 on `4.0.x` in early 2026. That is real but not mass-market exposure, and it is far below a Drupal core population.
Disclosure timeline	Drupal published advisory `SA-CONTRIB-2026-037` on 2026-05-13; the CVE/NVD publication date was 2026-05-19.
Reporter / coordinator	Reported by Drew Webber (mcdruid) of the Drupal Security Team; fixed by Joël Pittet and coordinated by the Drupal Security Team.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (7.4/10)

The decisive factor is that exploitation is unauthenticated and internet-reachable, so if you run the vulnerable route externally the bug is cheap to exercise and hard to distinguish from normal feed access. It stays out of CRITICAL because the documented impact is data exposure in a relatively niche contributed module, not a broadly deployed pre-auth server takeover with active exploitation evidence.

HIGH Affected-version range and fixed version

HIGH Unauthenticated route exposure requirement

MEDIUM Real-world blast radius across enterprise Drupal estates

MEDIUM Absence of public exploitation or PoC in reviewed sources

Why this verdict

Unauthenticated remote path: the attacker position is AV:N/PR:N/UI:N, and Drupal explicitly says the vulnerable routes are accessible to anonymous users with no permission gate.
Impact is narrower than 9.8 suggests: the vendor advisory calls this Information disclosure; there is no primary-source evidence here of direct pre-auth RCE, admin creation, or whole-site availability loss.
Population is limited: this is a contributed module with roughly ~569 reporting 4.0.x installs in Drupal usage stats, not a ubiquitous Drupal core issue affecting most internet-facing sites.
Route exposure is conditional: an attacker still needs the site to actually publish or expose an iCal endpoint containing sensitive content. Many deployments either do not use these feeds or only expose already-public events.
Modern controls only partially help: EDR does nothing at the web layer, and WAFs are weak here because the request can look like a legitimate ICS download. That keeps the issue above MEDIUM.

Why not higher?

There is no reviewed evidence of KEV listing, active exploitation, or public weaponization. More importantly, the business impact is usually bounded to whatever the feed exposes; this is not the kind of flaw that normally gives an unauthenticated attacker arbitrary code execution across the server.

Why not lower?

You cannot dismiss an anonymous content-bypass on a public web app module as mere backlog hygiene. If a site exposes nonpublic event metadata through ICS, the leak is silent, low-effort, and externally reachable, which is enough to keep this in HIGH for affected internet-facing deployments.

05 · Compensating Control

What to do — in priority order.

Block external access to iCal routes — Put the relevant .ics or module-specific feed paths behind an upstream allowlist, SSO gateway, VPN, or reverse-proxy deny rule if business use permits. This is the fastest risk reduction for exposed sites and should be deployed within 30 days for a HIGH finding, sooner for internet-facing feeds carrying sensitive content.
Disable the module where unused — If Date iCal is installed but not operationally required, remove or disable it to eliminate the attack surface entirely. For high-confidence unused deployments, do this within 30 days rather than carrying a niche vulnerable module indefinitely.
Restrict sensitive fields from feed outputs — Review Views and feed definitions so titles, descriptions, attendee data, locations, unpublished content, and internal notes are not rendered into public ICS exports. This does not fix the access bug, but it limits blast radius and should be completed within 30 days on exposed sites.
Log and alert on anonymous ICS access — Add web-server or reverse-proxy detection for repeated anonymous requests to .ics endpoints, especially high-volume pulls or requests for unusual feed names. This is a containment and hunting measure, not a patch, and should be enabled within 30 days.

What doesn't work

Relying on EDR alone does not help because exploitation is a normal-looking HTTP request to Drupal, not endpoint malware execution.
Assuming Drupal role permissions save you does not help here; the advisory explicitly states the vulnerable routes are accessible to anonymous users and access checks are insufficient.
A generic WAF in default mode is unlikely to block this consistently because the attacker can retrieve the feed using ordinary GET requests without obvious exploit payloads.

06 · Verification

Crowdsourced verification payload.

Run this on the Drupal application host or on a CI workspace containing the site's codebase, from the project root where composer.lock is present. Invoke it as bash check-date-ical-cve-2026-8495.sh /var/www/drupal and use an account with read access to the code directory; root is not required.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-date-ical-cve-2026-8495.sh
# Detects whether Drupal Date iCal is vulnerable to CVE-2026-8495 based on installed version.
# Usage: bash check-date-ical-cve-2026-8495.sh /path/to/drupal-project
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage error

set -u

TARGET="${1:-}"
if [ -z "$TARGET" ]; then
  echo "UNKNOWN - missing path argument"
  echo "Usage: bash $0 /path/to/drupal-project"
  exit 3
fi

if [ ! -d "$TARGET" ]; then
  echo "UNKNOWN - path does not exist: $TARGET"
  exit 2
fi

LOCKFILE="$TARGET/composer.lock"
INSTALLED_JSON="$TARGET/vendor/composer/installed.json"
PACKAGE="drupal/date_ical"
FIXED="4.0.15"
VERSION=""

# Compare semantic versions using sort -V
ver_lt() {
  [ "$(printf '%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

extract_from_lock() {
  awk -v pkg="$PACKAGE" '
    BEGIN { RS="\\{"; FS="\n" }
    $0 ~ "\"name\"[[:space:]]*:[[:space:]]*\"" pkg "\"" {
      if (match($0, /"version"[[:space:]]*:[[:space:]]*"([^"]+)"/, m)) {
        print m[1]; exit
      }
    }
  ' "$LOCKFILE" 2>/dev/null
}

extract_from_installed_json() {
  awk -v pkg="$PACKAGE" '
    BEGIN { RS="\\{"; FS="\n" }
    $0 ~ "\"name\"[[:space:]]*:[[:space:]]*\"" pkg "\"" {
      if (match($0, /"version"[[:space:]]*:[[:space:]]*"([^"]+)"/, m)) {
        print m[1]; exit
      }
    }
  ' "$INSTALLED_JSON" 2>/dev/null
}

normalize() {
  echo "$1" | sed -E 's/^v//; s/\.0-patch[0-9]+$//; s/-.*$//'
}

if [ -f "$LOCKFILE" ]; then
  VERSION="$(extract_from_lock)"
fi

if [ -z "$VERSION" ] && [ -f "$INSTALLED_JSON" ]; then
  VERSION="$(extract_from_installed_json)"
fi

if [ -z "$VERSION" ] && command -v composer >/dev/null 2>&1; then
  VERSION="$(cd "$TARGET" 2>/dev/null && composer show drupal/date_ical 2>/dev/null | awk '/^versions/ {print $2; exit}')"
fi

if [ -z "$VERSION" ]; then
  if [ -d "$TARGET/web/modules/contrib/date_ical" ] || [ -d "$TARGET/modules/contrib/date_ical" ]; then
    echo "UNKNOWN - Date iCal module directory exists but installed version could not be determined"
    exit 2
  else
    echo "UNKNOWN - Date iCal does not appear installed from standard paths and no composer metadata found"
    exit 2
  fi
fi

RAW_VERSION="$VERSION"
VERSION="$(normalize "$VERSION")"

if ver_lt "$VERSION" "$FIXED"; then
  echo "VULNERABLE - $PACKAGE version $RAW_VERSION installed; fixed version is $FIXED"
  exit 1
else
  echo "PATCHED - $PACKAGE version $RAW_VERSION installed; not affected by CVE-2026-8495"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, identify every Drupal estate using drupal/date_ical, then immediately separate the tiny set that is both vulnerable and internet-exposed. For this HIGH verdict, apply a temporary control on exposed iCal routes within 30 days per the noisgate mitigation SLA, and complete the actual upgrade to Date iCal 4.0.15 within 180 days per the noisgate remediation SLA; if the feed contains sensitive internal scheduling data, treat those exposed sites as priority exceptions and patch them ahead of the general window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.