OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3532Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.Solution: Install the latest version:

• If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.Reported By: 

• Eric Smith (ericgsmith)

Fixed By: 

• Philip Frilling (pfrilling)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team