Drupal · Entra Id Sso Login · CVE-2026-0948
**Name of the Vulnerable Software and Affected Versions**
Drupal Microsoft Entra ID SSO Login versions prior to 1.0.4
**Description**
The Microsoft Entra ID SSO Login module for Drupal does not properly validate responses received from the Microsoft Entra ID service. This insufficient validation can lead to a complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account. The issue involves an authentication bypass using an alternate path or channel, potentially allowing privilege escalation.
**Recommendations**
Update to version 1.0.4 or later.