Description
The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.
Published: 2026-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Backdrop CMS Salesforce integration module, in versions prior to 1.0.1, fails to generate and enforce a random state parameter during the OAuth authorization flow. This omission enables an attacker to craft requests that are accepted as legitimate by the module, thereby performing actions on behalf of the user without their knowledge. The weakness falls under CWE‑352 and can compromise the confidentiality and integrity of data transferred to or from Salesforce.

Affected Systems

Backdrop CMS users who have installed the backdrop-contrib/salesforce contributed project with a version less than 1.0.1 are affected. Any site using the module before the 1.0.1 release is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the current exploitation likelihood is uncertain but the lack of a state parameter is a well‑known CSRF risk that can be leveraged remotely via the web interface. An attacker would need to induce the victim to visit a crafted OAuth URL; once the state is not validated, the module would accept the request as valid and execute the attacker’s intended action.

Generated by OpenCVE AI on May 12, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the backdrop-contrib/salesforce module to version 1.0.1 or later, which implements proper state parameter generation and validation.
  • Verify that the updated module uses a cryptographically secure random state string in the OAuth flow and that it is checked on return.
  • If an upgrade cannot be performed immediately, restrict or disable the module’s OAuth endpoints or block access to the module until the fix is applied.
  • Monitor user activity for unexpected OAuth requests and enforce multi‑factor authentication for Salesforce integration users.

Generated by OpenCVE AI on May 12, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Backdropcms
Backdropcms backdrop-contrib/salesforce
Vendors & Products Backdropcms
Backdropcms backdrop-contrib/salesforce

Tue, 12 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Vulnerability in Backdrop CMS Salesforce Module

Tue, 12 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Backdropcms Backdrop-contrib/salesforce
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-12T12:59:07.153Z

Reserved: 2026-05-12T04:06:23.682Z

Link: CVE-2026-45430

cve-icon Vulnrichment

Updated: 2026-05-12T12:57:48.842Z

cve-icon NVD

Status : Received

Published: 2026-05-12T04:16:28.027

Modified: 2026-05-12T04:16:28.027

Link: CVE-2026-45430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:21:57Z

Weaknesses