Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
AnalysisAI
Drupal OpenID Connect / OAuth client versions before 1.5.0 contain an authentication bypass vulnerability that allows attackers to circumvent authentication mechanisms through an alternate path or channel. The vulnerability affects all versions from 0.0.0 through 1.4.x, enabling remote attackers to gain unauthorized access without proper credentials. No CVSS score, EPSS data, or confirmed active exploitation status is currently available; however, the vulnerability's authentication bypass nature and wide version range suggest significant real-world risk to Drupal installations relying on OpenID Connect or OAuth authentication.
Technical ContextAI
The vulnerability exists in Drupal's OpenID Connect / OAuth client module (CPE: cpe:2.3:a:drupal:openid_connect_/_oauth_client:*:*:*:*:*:*:*:*), which implements authentication via external identity providers using OpenID Connect and OAuth protocols. The root cause is classified under CWE-288 (Authentication Using an Alternate Path or Channel), indicating that the module fails to enforce consistent authentication checks across all code paths or communication channels. Attackers can exploit this by discovering or leveraging an undocumented authentication path that bypasses the primary security controls, potentially allowing direct access to protected resources or account takeover without valid OpenID Connect / OAuth tokens.
RemediationAI
Upgrade Drupal OpenID Connect / OAuth client to version 1.5.0 or later to resolve the authentication bypass vulnerability. This is the primary and definitive fix released by the Drupal project. Until patching is feasible, apply compensating controls including strict network segmentation to limit access to Drupal authentication endpoints, implement additional session validation and monitoring for unauthorized account access, and consider temporarily disabling OpenID Connect / OAuth authentication in favor of local authentication methods if operationally viable. For detailed guidance and to verify patch availability, consult the official Drupal security advisory at https://www.drupal.org/sa-contrib-2026-026.
More in Openid Connect Oauth Client
View allThe Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 contains a Server-Side Request Forgery (SSRF) vu
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows pri
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16387
GHSA-f2x9-px9q-jxw2