"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

Wed, 2026-03-04 10:02 — Anonymous (not verified)

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3532Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.Solution: Install the latest version:

If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.Reported By:

Eric Smith (ericgsmith)

Fixed By:

Philip Frilling (pfrilling)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-027

Search form

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027