PT-2026-23114 · Drupal+2 · Openid Connect / Oauth Client+1
Damien Mckenna
+4
·
Published
2026-03-04
·
Updated
2026-03-26
·
CVE-2026-3531
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal OpenID Connect / OAuth client versions prior to 1.5.0
Description
A flaw exists in the OpenID Connect / OAuth client module that could allow for authentication bypass. Specifically, if a user successfully authenticates with their Identity Provider but is denied access to Drupal due to custom code or a server error, their session remains active at the Identity Provider. This can potentially lead to unauthorized access, particularly in shared computing environments, where a user who initially failed to authenticate may gain access through an alternate path.
Recommendations
Update to version 1.5.0 or later.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openid Connect / Oauth Client
Drupal/Openid Connect