Drupal is prone to a remote code-execution vulnerability when the REST module is enabled (by default this module is disabled). Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution.

A site is only affected by this if one of the following conditions is met:

  • the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH or POST requests,
  • or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.


If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
Be sure to install any available security updates for contributed projects after updating Drupal core.
No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.


Related Vulnerabilities