DRUPAL-CONTRIB-2025-124

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/disable_login/DRUPAL-CONTRIB-2025-124.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-124

Aliases

CVE-2025-13986

Published

2025-12-03T18:49:57Z

Modified

2025-12-10T23:41:28.927686Z

Summary

[none]

Details

This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.

The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.

This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.

References

https://www.drupal.org/sa-contrib-2025-124

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/disable_login

Package

Name: drupal/disable_login
Purl: pkg:composer/drupal/disable_login

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.3

Database specific

{
    "constraint": "<1.1.3"
}

Database specific

affected_versions

"<1.1.3"