As an academic group, we wanted to improve the look and feel of our website on a tight budget. The team at Project Ricochet was consistently responsive to our concerns and willing to help us meet our goals. They were transparent with their costs, which allowed us to pick and choose which features and changes we deemed most important. Thanks to this transparency, our new website is a substantial improvement over the old that we were able to achieve in a cost-effective fashion.
—Justin Inman, UCSF

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Wed, 2026-04-01 09:38 — Anonymous (not verified)

Project: SAML SSO - Service Provider Date: 2026-April-01Security risk: Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Authentication bypassAffected versions: <3.1.4CVE IDs: CVE-2026-5343Description: This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.
The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.Solution: Install the latest version:
If you are using the SAML SSO - Service Provider module for Drupal, upgrade to SAML SSO - Service Provider 3.1.4.Reported By:

Tim de Jong | Freelance Drupal Developer (tim_dj)

Fixed By:

Sudhanshu Dhage (sudhanshu0542)

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-031

Search form

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031