PT-2026-3747 · Drupal+2 · Entra Id Sso Login+1
Ashish Verma
+5
·
Published
2026-01-14
·
Updated
2026-02-04
·
CVE-2026-0948
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal Microsoft Entra ID SSO Login versions prior to 1.0.4
Description
The Microsoft Entra ID SSO Login module for Drupal does not properly validate responses received from the Microsoft Entra ID service. This insufficient validation can lead to a complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account. The issue involves an authentication bypass using an alternate path or channel, potentially allowing privilege escalation.
Recommendations
Update to version 1.0.4 or later.
Fix
LPE
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Entra Id Sso Login
Drupal/Social Auth Entra Id