Description
Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

An SSRF vulnerability exists within the Drupal OpenID Connect / OAuth client module that allows an attacker to cause the server to make HTTP requests to arbitrary destinations. This flaw can lead to the disclosure of private information, internal network resources, or enable further attacks such as bypassing firewall restrictions. The weakness is identified as CWE‑918, which describes server‑side request forgery behaviors.

Affected Systems

Drupal installations employing the OpenID Connect / OAuth client module are affected when the module version is from the initial release through 1.4.9. Versions 1.5.0 and higher contain the fix and are not impacted by this issue.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as low severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. It is not present in the CISA KEV catalog. The attack vector is not explicitly stated in the advisory, but it is inferred that an external attacker can trigger the SSRF by supplying a crafted request to the vulnerable module, a typical scenario for SSRF exploits.

Generated by OpenCVE AI on April 2, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenID Connect / OAuth client module to version 1.5.0 or later as the vendor recommends
  • Confirm that the update has been successfully applied and that the module no longer accepts unvalidated URLs
  • If an immediate upgrade is not feasible, limit outbound traffic from the Drupal server to prevent internal request exposure

Generated by OpenCVE AI on April 2, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-025 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Bojanz
Bojanz openid Connect \/ Oauth Client
CPEs cpe:2.3:a:bojanz:openid_connect_\/_oauth_client:*:*:*:*:*:drupal:*:*
Vendors & Products Bojanz
Bojanz openid Connect \/ Oauth Client

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal openid
Vendors & Products Drupal
Drupal openid

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Title OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Weaknesses CWE-918
References

Subscriptions

Drupal Openid
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-30T14:54:58.296Z

Reserved: 2026-03-04T16:41:58.794Z

Link: CVE-2026-3530

cve-icon Vulnrichment

Updated: 2026-03-30T14:37:48.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:09.150

Modified: 2026-04-01T16:11:34.167

Link: CVE-2026-3530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:26Z

Weaknesses