DRUPAL-CONTRIB-2026-027

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-027.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-027
Aliases
  • CVE-2026-3532
Published
2026-03-04T18:02:59Z
Modified
2026-03-04T19:01:55.854399Z
Summary
[none]
Details

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/openid_connect

Package

Name
drupal/openid_connect
Purl
pkg:composer/drupal/openid_connect

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0
Database specific 
{
    "constraint": "<1.5.0"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/openid_connect/DRUPAL-CONTRIB-2026-027.json"
affected_versions 
"<1.5.0"