"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Wed, 2026-03-04 10:02 — Anonymous (not verified)

Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.5.0CVE IDs: CVE-2026-3531Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.Solution: Install the latest version:

If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Reported By:

Kimberley Massey (kimberleycgm)

Fixed By:

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-026

Search form

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026