Skip to main content

Openid Connect Oauth Client CVE-2026-3531

| EUVDEUVD-2026-16387 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-26 drupal GHSA-f2x9-px9q-jxw2
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16387
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:03 nvd
MEDIUM 6.5

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

AnalysisAI

Drupal OpenID Connect / OAuth client versions before 1.5.0 contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through an alternate path or channel. The vulnerability affects all versions from 0.0.0 through 1.4.x, enabling remote attackers to gain unauthorized access without proper credentials. No CVSS score, EPSS data, or confirmed active exploitation status is currently available; however, the vulnerability's authentication bypass nature and wide version range suggest significant real-world risk to Drupal installations relying on OpenID Connect or OAuth authentication.

Technical ContextAI

The vulnerability exists in Drupal's OpenID Connect / OAuth client module (CPE: cpe:2.3:a:drupal:openid_connect_/_oauth_client:*:*:*:*:*:*:*:*), which implements authentication via external identity providers using OpenID Connect and OAuth protocols. The root cause is classified under CWE-288 (Authentication Using an Alternate Path or Channel), indicating that the module fails to enforce consistent authentication checks across all code paths or communication channels. Attackers can exploit this by discovering or leveraging an undocumented authentication path that bypasses the primary security controls, potentially allowing direct access to protected resources or account takeover without valid OpenID Connect / OAuth tokens.

RemediationAI

Upgrade Drupal OpenID Connect / OAuth client to version 1.5.0 or later to resolve the authentication bypass vulnerability. This is the primary and definitive fix released by the Drupal project. Until patching is feasible, apply compensating controls including strict network segmentation to limit access to Drupal authentication endpoints, implement additional session validation and monitoring for unauthorized account access, and consider temporarily disabling OpenID Connect / OAuth authentication in favor of local authentication methods if operationally viable. For detailed guidance and to verify patch availability, consult the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-026.

Share

CVE-2026-3531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy