Kimberley Massey

**Name of the Vulnerable Software and Affected Versions** Drupal OpenID Connect / OAuth client versions prior to 1.5.0 **Description** A flaw exists in the OpenID Connect / OAuth client module that could allow for authentication bypass. Specifically, if a user successfully authenticates with their Identity Provider but is denied access to Drupal due to custom code or a server error, their session remains active at the Identity Provider. This can potentially lead to unauthorized access, particularly in shared computing environments, where a user who initially failed to authenticate may gain access through an alternate path. **Recommendations** Update to version 1.5.0 or later.