{"id":"CVE-2020-13677","details":"Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected.","aliases":["BIT-drupal-2020-13677","DRUPAL-CORE-2021-010","GHSA-3xr3-phjp-g6p2"],"modified":"2026-04-10T04:22:16.560980Z","published":"2022-02-11T16:15:08.487Z","references":[{"type":"FIX","url":"https://www.drupal.org/sa-core-2021-010"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/drupal/drupal","events":[{"introduced":"35c2f3ca5c935f3d8bde15932a712677c9bbd50f"},{"fixed":"ff4f28f15d717b1ba39867f1550a248d1a915928"},{"introduced":"5c6f14f762c9aef87cd2731818386f202ee8463c"},{"fixed":"bdafd0207e0b6d78baa13ac181d9b74ba5e806cd"},{"introduced":"943ecef3c0bc9822338252a7df6419aeb9253c9d"},{"fixed":"4d4e64ff19e7fefad760f223bdb8cf36db9db43e"}],"database_specific":{"versions":[{"introduced":"8.0.0"},{"fixed":"8.9.19"},{"introduced":"9.1.0"},{"fixed":"9.1.13"},{"introduced":"9.2.0"},{"fixed":"9.2.6"}]}}],"versions":["8.0.0","8.1.0-beta1","8.9.0","8.9.0-beta1","8.9.0-beta2","8.9.0-beta3","8.9.0-rc1","8.9.11","8.9.12","8.9.15","8.9.16","8.9.17","8.9.18","8.9.2","8.9.3","8.9.4","8.9.5","8.9.8","9.1.0","9.1.1","9.1.10","9.1.11","9.1.12","9.1.2","9.1.4","9.1.5","9.1.6","9.1.8","9.2.0","9.2.1","9.2.3","9.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13677.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}