Skip to main content

Backdrop CMS Salesforce CVE-2026-45430

| EUVDEUVD-2026-29373 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-12 mitre GHSA-v6gq-gxgm-g38r
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 12, 2026 - 05:01 EUVD
Analysis Generated
May 12, 2026 - 04:31 vuln.today
CVE Published
May 12, 2026 - 04:06 nvd
HIGH 7.1

DescriptionCVE.org

The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.

AnalysisAI

CSRF vulnerability in Backdrop CMS Salesforce module versions prior to 1.x-1.0.1 allows network attackers to hijack OAuth authorization flows. By exploiting the missing random state parameter in the OAuth implementation, attackers can trick authenticated users into authorizing malicious Salesforce integrations, leading to high confidentiality and integrity impact on integrated Salesforce data. CVSS 7.1 (High) reflects network vector with high attack complexity requiring user interaction. No CISA KEV listing or public exploit identified at time of analysis, with EPSS data unavailable for comprehensive risk scoring.

Technical ContextAI

This vulnerability affects the OAuth 2.0 authorization flow implementation in the Backdrop CMS Salesforce integration module (cpe:2.3:a:backdrop_cms_contributed_projects:backdrop-contrib/salesforce). OAuth 2.0 mandates the 'state' parameter as a CSRF mitigation - a cryptographically random value that must be validated during the callback phase to ensure the authorization response corresponds to the original request. CWE-352 (Cross-Site Request Forgery) applies because the module fails to generate or validate this state parameter, allowing attackers to substitute their own authorization requests. This breaks the binding between the user's session and the OAuth flow, enabling session riding attacks against the Salesforce API authorization process.

RemediationAI

Upgrade the Backdrop CMS Salesforce module to version 1.x-1.0.1 or later, which implements proper state parameter generation and validation per OAuth 2.0 security best practices. Download the patched version from the official Backdrop CMS contributed projects repository and follow standard module update procedures. Refer to the vendor advisory at https://backdropcms.org/security/backdrop-sa-contrib-2026-001 for specific upgrade instructions. If immediate patching is not feasible, temporarily disable the Salesforce module integration features and revoke existing OAuth tokens via the Salesforce Connected Apps management console to prevent exploitation of already-compromised authorization flows. Note that disabling the module will break existing Salesforce data synchronization functionality until the patched version can be deployed. After upgrading, administrators should re-authorize Salesforce connections to ensure new sessions use the secured OAuth flow with state parameter validation.

Share

CVE-2026-45430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy