PT-2026-23113 · Drupal+2 · Openid Connect / Oauth Client+1
Damien Mckenna
+4
·
Published
2026-03-04
·
Updated
2026-03-26
·
CVE-2026-3530
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal OpenID Connect / OAuth client versions prior to 1.5.0
Description
A Server-Side Request Forgery (SSRF) issue exists in the OpenID Connect / OAuth client module of Drupal. This flaw stems from insufficient validation of data received from the identity provider. Successful exploitation could lead to Server Side Request Forgery and information disclosure. An attacker must have access to the identity provider and the site must have specific field mappings configured for exploitation.
Recommendations
Update to version 1.5.0 or later.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openid Connect / Oauth Client
Drupal/Openid Connect