CVE-2022-25270 - Exploiting Quick Edit Module's Entity Access Flaw in Drupal

CVE-2022-25270 is a security vulnerability that affects Drupal’s Quick Edit module. This flaw allows a user with the "access in-place editing" permission to view content they should not be able to access. This happens because the module does not properly check entity access in some cases. If your Drupal site uses the Standard installation profile with Quick Edit enabled, you could be at risk.

In this article, I'll break down what the vulnerability is, why it matters, show code snippets that demonstrate the issue, explain how the exploit works, and share advice on securing your site.

What is Quick Edit in Drupal?

Quick Edit lets users edit content directly from the front end—like clicking on text to change it without visiting the full edit page. It ships with Drupal core in the Standard install, and makes content management a lot easier–but this added convenience introduced a security hole.

The Core Issue

When a user tries to in-place edit an entity (like a node), the Quick Edit module checks permissions. However, it wasn’t always checking whether the user should be able to “see” the entity in the first place—only whether they can edit it in-place. That means certain content types, restricted or unpublished items, could be exposed to the wrong users.

So, users with "access in-place editing" permission could view data they shouldn’t be able to see. This does not allow them to edit items they couldn't already edit, but it reveals private or unpublished content.

The problematic part lies in the access check for quick edit routes. Here’s a simplified example

// Simplified entity access check in QuickEdit module
if ($entity->hasField($field_name) && $entity->access('update')) {
  // Allow rendering for editing
}

But what should have happened

// Proper access check, including 'view' access
if ($entity->hasField($field_name) && $entity->access('update') && $entity->access('view')) {
  // Only allow if the user can both edit and view
}

The missing view access check is the vulnerability.

Attacker needs "access in-place editing" permission

Attacker crafts a Quick Edit AJAX request

  They target an entity ID or revision ID they do not have normal "view" permission for (e.g., unpublished node, or a restricted content type).

Quick Edit endpoint leaks the content

Example using curl (replace IDs and tokens as needed)

curl -H "X-Requested-With: XMLHttpRequest" \
     -H "Cookie: [SESSION_COOKIE]" \
     "https://drupal.example.com/quickedit/field/node/15/body/en/preview";

If Quick Edit is vulnerable, this might return the body content of node #15, even if it's unpublished or otherwise restricted.

Mitigation and Fix

Drupal’s security team fixed the issue in core updates 8.9.19 and 9.2.13.  
If you haven’t patched your site since Feb 2022 or still run affected versions, update immediately.

- Visit the official advisory (SA-CORE-2022-003)
- See git commit patch for details.

Temporary mitigation:

References

- Drupal Security Advisory SA-CORE-2022-003
- NVD: CVE-2022-25270
- Drupal Git Commit

Conclusion

CVE-2022-25270 is a classic example of how “just a missing access check” can expose the secrets you thought were safe.

If you use Drupal and Quick Edit, patch your system. Audit who has the "access in-place editing" permission, and be careful about any permissions that allow users to access backend features.

Don’t leave unpublished or private content sitting around unprotected!

*For more deep-dives into Drupal security, keep following our posts!*

Timeline

Published on: 02/17/2022 00:15:00 UTC
Last modified on: 02/25/2022 14:34:00 UTC