Description
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.


This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an access bypass in Drupal TFA Basic Plugins. It permits a user who has the administer users role to view or generate two‑factor authentication recovery codes for any other user. This results in the exposed disclosure of sensitive recovery codes, enabling an attacker who compromises or uses an administrative account to reset other users’ passwords and gain unauthorized access. The weakness is an authorization bypass through privilege escalation (CWE‑267). The CVSS score of 5.1 indicates a medium severity with moderately high potential impact on confidentiality and integrity of user authentication data.

Affected Systems

Affected components are Drupal TFA Basic Plugins versions 7.x‑1.0 through 7.x‑1.2. The issue is limited to these releases regardless of the Drupal core version. All installations that have not yet upgraded beyond 7.x‑1.2 are vulnerable.

Risk and Exploitability

The risk depends on the presence of accounts with the administer users permission. An attacker who gains or already possesses such administrative rights can easily generate recovery codes for other accounts. Because the exploit does not require network exposure or remote code execution, its practicality is confined to environments where administrator accounts are locally or remotely accessible. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that public exploitation is not yet known. Nonetheless, the moderate CVSS score highlights the importance of addressing this weakness before it is leveraged.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TFA Basic Plugins module to a version newer than 7.x‑1.2 if an update that fixes the bypass is available.
  • Restrict the administer users permission to a minimal set of trusted accounts and remove the ability to view or generate recovery codes for other users from that role whenever possible.
  • Continuously monitor user activity logs for anomalous recovery‑code generation or unexpected administrative access, and investigate any deviations immediately.

Generated by OpenCVE AI on May 29, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal tfa Basic Plugins
Vendors & Products Drupal
Drupal tfa Basic Plugins

Thu, 28 May 2026 23:15:00 +0000

Type Values Removed Values Added
Description An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
Title TFA Basic Plugins - Access Bypass
Weaknesses CWE-267
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Drupal Tfa Basic Plugins
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-29T18:33:20.699Z

Reserved: 2026-04-21T19:10:28.105Z

Link: CVE-2026-6816

cve-icon Vulnrichment

Updated: 2026-05-29T18:32:54.734Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T23:16:44.637

Modified: 2026-05-29T20:16:31.087

Link: CVE-2026-6816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:42Z

Weaknesses