OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Wed, 2026-03-04 10:02 — Anonymous (not verified)

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3531Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.Solution: Install the latest version:

If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Reported By:

Kimberley Massey (kimberleycgm)

Fixed By:

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-026

Search form

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026