DRUPAL-CONTRIB-2026-026

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-026.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-026

Aliases

CVE-2026-3531

Published

2026-03-04T18:02:14Z

Modified

2026-03-04T19:02:25.349419Z

Summary

[none]

Details

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.

References

https://www.drupal.org/sa-contrib-2026-026

Credits

- Kimberley Massey (kimberleycgm)
- - https://www.drupal.org/u/kimberleycgm

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/openid_connect

Package

Name: drupal/openid_connect
Purl: pkg:composer/drupal/openid_connect

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.5.0

Database specific

{
    "constraint": "<1.5.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-026.json"

affected_versions

"<1.5.0"