DRUPAL-CONTRIB-2026-005

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social_auth_entra_id/DRUPAL-CONTRIB-2026-005.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-005

Aliases

CVE-2026-0948

Published

2026-01-14T17:57:31Z

Modified

2026-01-20T22:00:39.656235Z

Summary

[none]

Details

This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.

The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.

References

https://www.drupal.org/sa-contrib-2026-005

Credits

- Ashish Verma (ashish.verma85)
- - https://www.drupal.org/u/ashishverma85
- Dheeraj Jhamtani (dheeraj jhamtani)
- - https://www.drupal.org/u/dheeraj-jhamtani
- Marcelo Vani (marcelovani)
- - https://www.drupal.org/u/marcelovani

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social_auth_entra_id

Package

Name: drupal/social_auth_entra_id
Purl: pkg:composer/drupal/social_auth_entra_id

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.4

Database specific

{
    "constraint": "<1.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social_auth_entra_id/DRUPAL-CONTRIB-2026-005.json"

affected_versions

"<1.0.4"