Description
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Published: 2026-03-26
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The Drupal OpenID Connect / OAuth client module contains an improper handling of case sensitivity that allows an attacker to bypass authentication checks. This flaw is a CWE‑178 violation and can be exploited to attain privileges higher than those originally granted. As a result, an attacker controlling authentication requests can achieve privilege escalation on a Drupal site.

Affected Systems

Drupal sites that use the OpenID Connect / OAuth client module versions older than 1.5.0 are affected. The vulnerability applies to all releases from the initial 0.0.0 up to, but not including, 1.5.0.

Risk and Exploitability

The CVSS base score of 4.2 indicates a moderate severity, and the EPSS score of less than 1 % suggests that exploitation is unlikely. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to manipulate the authentication flow of the OAuth client, likely by sending requests that differ only in case, to trigger the bypass. Because the flaw lies in the client’s input processing, exploitation requires access to the identity provider integration or direct control over the module’s authentication inputs, which limits the scope of potential attacks.

Generated by OpenCVE AI on April 2, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Drupal OpenID Connect / OAuth client module to version 1.5.0 or newer.
  • If an upgrade cannot be performed immediately, limit access to privileged roles until the patch is applied.
  • Monitor Drupal security advisories and vendor announcements for additional guidance.

Generated by OpenCVE AI on April 2, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-027 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Bojanz
Bojanz openid Connect \/ Oauth Client
CPEs cpe:2.3:a:bojanz:openid_connect_\/_oauth_client:*:*:*:*:*:drupal:*:*
Vendors & Products Bojanz
Bojanz openid Connect \/ Oauth Client

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal openid
Vendors & Products Drupal
Drupal openid

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
Title OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Weaknesses CWE-178
References

Subscriptions

Bojanz Openid Connect \/ Oauth Client
Drupal Openid
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T13:53:59.637Z

Reserved: 2026-03-04T16:42:01.310Z

Link: CVE-2026-3532

cve-icon Vulnrichment

Updated: 2026-03-27T13:53:51.431Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:09.420

Modified: 2026-04-01T16:14:44.507

Link: CVE-2026-3532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:25Z

Weaknesses