OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Project: OpenID Connect / OAuth clientDate: 2026-March-04Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Server-side request forgery, Information disclosureAffected versions: <1.5.0CVE IDs: CVE-2026-3530Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.
This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide compromised data at the source profile.
- a site must have specific field mappings configuredSolution: Install the latest version:
- If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect 8.x-1.5
Reported By:
- Drew Webber (mcdruid) of the Drupal Security Team
Fixed By:
- Drew Webber (mcdruid) of the Drupal Security Team
- Philip Frilling (pfrilling)
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
