DRUPAL-CONTRIB-2026-025

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-025.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-025

Aliases

CVE-2026-3530

Published

2026-03-04T18:00:41Z

Modified

2026-03-04T19:02:25.030162Z

Summary

[none]

Details

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.

This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide compromised data at the source profile.
- a site must have specific field mappings configured

References

https://www.drupal.org/sa-contrib-2026-025

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/openid_connect

Package

Name: drupal/openid_connect
Purl: pkg:composer/drupal/openid_connect

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.5.0

Database specific

{
    "constraint": "<1.5.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-025.json"

affected_versions

"<1.5.0"