Review: Material Icons Access Bypass in Drupal (SA-CONTRIB-2026-011)

The Hook SA-CONTRIB-2026-011 is a classic route-protection bug: if a module route is reachable without the intended custom permission checks, non-admin users can reach privileged UI endpoints.

What Happened The Drupal Security Team published SA-CONTRIB-2026-011 on February 25, 2026 for the Material Icons module. The advisory is marked moderately critical and classified as an access bypass vulnerability.

The root issue: dialog and autocomplete routes were not sufficiently protected by custom permissions, which allowed broader access than intended in many setups.

Affected Scope

• Affected versions: < 2.0.4
• Fixed version: 2.0.4
• CVE: CVE-2026-3210
• Advisory ID: DRUPAL-CONTRIB-2026-011

Why This Matters for Drupal 10/11 and Drupal CMS Material Icons integrates with CKEditor workflows. If editors or other non-admin roles can access routes that should be gated, you get permission boundary drift in content authoring flows. This is exactly the type of issue that often goes unnoticed until a security advisory forces an audit.

Fast Triage Checklist

1. Check installed version:
   • composer show drupal/material_icons
2. Patch immediately if running <2.0.4:
   • composer require drupal/material_icons:^2.0.4
3. Clear caches and rebuild router after update:
   • drush cr
4. Review who can use related editor features and verify least privilege:
   • drush role:perm | grep -Ei "material|ckeditor|icon"

Bottom Line If your site uses Material Icons and is below 2.0.4, treat this as active patch work, not backlog work. Upgrade first, then validate role permissions around editor tooling.

References

• https://www.drupal.org/sa-contrib-2026-011
• https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-011
• https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/material_icons/DRUPAL-CONTRIB-2026-011.json