DRUPAL-CONTRIB-2026-063

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/salesforce/DRUPAL-CONTRIB-2026-063.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-063
Aliases
  • CVE-2026-13243
Published
2026-06-24T18:48:15Z
Modified
2026-06-24T19:15:05.481546602Z
Summary
[none]
Details

The Salesforce Suite of modules integrates Drupal with Salesforce.

The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account.

This vulnerability is mitigated by the fact that salesforce_oauth submodule must be enabled, and a salesforce_oauth authorization profile active and in use. The submodule salesforce_oauth is deprecated, and salesforce_jwt has been the recommended authentication plugin for several years. Sites with salesforce_oauth uninstalled, or sites relying exclusively on salesforce_jwt (JWT or JWT Gov Cloud) for authentication are not impacted.

Submodule salesforce_oauth has been removed in branch 6.0.x, so >= 6.0.x versions are not affected by this vulnerability.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/salesforce

Package

Name
drupal/salesforce
Purl
pkg:composer/drupal%2Fsalesforce

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.1.3
Database specific
{
    "constraint": "<5.1.3"
}

Database specific

source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/salesforce/DRUPAL-CONTRIB-2026-063.json"
affected_versions
"<5.1.3"