Review: Drupal Canvas SA-CONTRIB-2026-017 (SSRF + Info Disclosure)

The Hook
This is a moderately critical Drupal Canvas advisory, but the real risk depends on whether the hidden canvas_ai submodule is enabled and who has the use Drupal Canvas AI permission.

What Happened
On February 25, 2026, Drupal published SA-CONTRIB-2026-017 for Drupal Canvas, covering server-side request forgery (SSRF) and information disclosure (CVE-2026-3216).
Affected versions are < 1.1.1.

Exposure Conditions
Your site is exposed when all of these are true:

• You run Drupal Canvas below 1.1.1.
• The hidden submodule canvas_ai is enabled (often via recipes or deployment scripts).
• An attacker has a role with use Drupal Canvas AI.

Fast Mitigation Plan

• Upgrade Drupal Canvas to 1.1.1.
• Verify whether canvas_ai is enabled:
  • drush config:get core.extension | grep canvas_ai
• Review and reduce roles that include use Drupal Canvas AI.
• Check logs for unusual outbound request behavior from Canvas AI flows.

Why This Matters for Drupal CMS Teams
The advisory is a reminder that recipe-driven or script-driven enablement can introduce hidden runtime surface area. If your deployment enables dependencies automatically, your security checks must validate what is actually enabled in core.extension, not just what appears in the UI.

References

• https://www.drupal.org/sa-contrib-2026-017
• https://www.drupal.org/project/canvas/releases/1.1.1