CVE-2026-55803

Description

[SA-CORE-2019-003](https://www.drupal.org/sa-core-2019-003) added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection. This vulnerability is mitigated by the fact that in order to be exploitable: * A site must use an entity reference field type that stores a serialized property. * An attacker must have permission to write to the entity via JSON:API. No field type shipped with Drupal core meets these criteria, and contributed or user-created field types that do appear to be extremely unusual. This update protects all such fields; no changes are required in contributed modules. JSON:API is read-only by default, so sites are only affected if they have enabled write access (either through administrator configuration or the installation of a contributed or custom module that enables write access). #### Drupal Steward protection: This issue is being protected by [Drupal Steward](https://www.drupal.org/steward). In this instance, we believe that the WAF rule will provide mitigation for the common/obvious vulnerability paths, but may not be able to cover all cases or work for all hosting providers. Additionally, several other core security advisories released today are *not* mitigated by Drupal Steward. Therefore, our recommended action is still to plan an actual Drupal update within 24 hours of this release.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://www.drupal.org/sa-core-2026-005