Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

An attacker can gain access to a Drupal site without valid credentials by exploiting an alternate authentication path or channel within the OpenID Connect / OAuth client module. The flaw allows unauthorized users to impersonate legitimate accounts and potentially reach restricted or administrative functions.

Affected Systems

Drupal site owners using the OpenID Connect / OAuth client module in any version released before 1.5.0, including the initial 0.0.0 releases, are affected. Upgrading to 1.5.0 or later resolves the issue.

Risk and Exploitability

The vulnerability carries a severity score of 6.5, indicating moderate risk. Exploitation likelihood is reported to be below one percent, and it has not been recorded in the known exploited vulnerabilities catalog. An attacker would most likely reach the vulnerable endpoint via a web request, so remote exploitation through the exposed OAuth client is possible and could lead to privilege escalation if left unpatched.

Generated by OpenCVE AI on April 2, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch by upgrading the OpenID Connect / OAuth client module to version 1.5.0 or newer
  • If a quick upgrade is not feasible, disable or remove the module to eliminate the attack surface
  • Confirm that no alternate authentication paths remain active after removal or disabling
  • Continuously monitor authentication logs for suspicious activity or repeated bypass attempts

Generated by OpenCVE AI on April 2, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-026 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Bojanz
Bojanz openid Connect \/ Oauth Client
CPEs cpe:2.3:a:bojanz:openid_connect_\/_oauth_client:*:*:*:*:*:drupal:*:*
Vendors & Products Bojanz
Bojanz openid Connect \/ Oauth Client

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal openid
Vendors & Products Drupal
Drupal openid

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Title OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Weaknesses CWE-288
References

Subscriptions

Drupal Openid
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-30T14:54:51.550Z

Reserved: 2026-03-04T16:42:00.011Z

Link: CVE-2026-3531

cve-icon Vulnrichment

Updated: 2026-03-30T14:39:17.218Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:09.283

Modified: 2026-04-01T16:14:15.750

Link: CVE-2026-3531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:25Z

Weaknesses