DRUPAL-CONTRIB-2026-070

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/login_disable/DRUPAL-CONTRIB-2026-070.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-070
Aliases
  • CVE-2026-15079
Published
2026-07-08T17:12:32Z
Modified
2026-07-08T19:00:04.913998131Z
Summary
[none]
Details

The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page.

The module doesn't sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an attacker to use a brute force attack to bypass the protection provided by this module. The security fix blocks these attempts with flood control.

This vulnerability is mitigated by the fact that an attacker must obtain a valid username & password.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/login_disable

Package

Name
drupal/login_disable
Purl
pkg:composer/drupal/login_disable

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4
Database specific
{
    "constraint": "<2.1.4"
}

Database specific

affected_versions
"<2.1.4"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/login_disable/DRUPAL-CONTRIB-2026-070.json"