Open Atrium – Moderately Critical – Access Bypass – SA-CONTRIB-2016-003


Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space.

This issue only affects sites that use private sub-spaces.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Open Atrium 7.x-2.x versions prior to 7.x-2.53.

Drupal core is not affected. If you do not use the contributed Open Atrium module, there is nothing you need to do.


  • Upgrade to the latest version, 7.x-2.53

If you are not able to fully upgrade to the latest version, ensure private sub-spaces are directly marked as private and are not seen publicly in a private parent space.

Also see the Open Atrium project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at

Drupal version: 

Leave a Reply