Wednesday, Aug 23rd, 2023
Advisory ID: 
Security risk: 
Remote Code Execution
Versions affected: 
  • Forum Access 1.x-1.x versions prior to 1.x-1.6.

This module changes your forum administration page to allow you to set forums to private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, on which Forum Access depends.


Install the latest version:

The ACL module (a dependency) should also be updated.

Reported By: 
Fixed By: 
Coordinated By: 

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

  1. Log in to
  2. Edit your profile
  3. Switch to the "Subscriptions" tab
  4. Check the box labeled "Security updates"
  5. Save the form