SB2026062531 - Improper access control in Commerce Realex / Global Payments module for Drupal
Published: June 25, 2026
Security Bulletin ID
SB2026062531
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper access control (CVE-ID: CVE-2026-13238)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the affected module does not sufficiently verify the authenticity of the payment response returned by Global Payments. A remote attacker can bypass implemented security restrictions and compromise the target system.
Remediation
Install update from vendor's website.