Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.
Articles & Coverage 1
AnalysisAI
CSRF vulnerability in Backdrop CMS Salesforce module versions prior to 1.x-1.0.1 allows network attackers to hijack OAuth authorization flows. By exploiting the missing random state parameter in the OAuth implementation, attackers can trick authenticated users into authorizing malicious Salesforce integrations, leading to high confidentiality and integrity impact on integrated Salesforce data. CVSS 7.1 (High) reflects network vector with high attack complexity requiring user interaction. No CISA KEV listing or public exploit identified at time of analysis, with EPSS data unavailable for comprehensive risk scoring.
Technical ContextAI
This vulnerability affects the OAuth 2.0 authorization flow implementation in the Backdrop CMS Salesforce integration module (cpe:2.3:a:backdrop_cms_contributed_projects:backdrop-contrib/salesforce). OAuth 2.0 mandates the 'state' parameter as a CSRF mitigation - a cryptographically random value that must be validated during the callback phase to ensure the authorization response corresponds to the original request. CWE-352 (Cross-Site Request Forgery) applies because the module fails to generate or validate this state parameter, allowing attackers to substitute their own authorization requests. This breaks the binding between the user's session and the OAuth flow, enabling session riding attacks against the Salesforce API authorization process.
RemediationAI
Upgrade the Backdrop CMS Salesforce module to version 1.x-1.0.1 or later, which implements proper state parameter generation and validation per OAuth 2.0 security best practices. Download the patched version from the official Backdrop CMS contributed projects repository and follow standard module update procedures. Refer to the vendor advisory at https://backdropcms.org/security/backdrop-sa-contrib-2026-001 for specific upgrade instructions. If immediate patching is not feasible, temporarily disable the Salesforce module integration features and revoke existing OAuth tokens via the Salesforce Connected Apps management console to prevent exploitation of already-compromised authorization flows. Note that disabling the module will break existing Salesforce data synchronization functionality until the patched version can be deployed. After upgrading, administrators should re-authorize Salesforce connections to ensure new sessions use the secured OAuth flow with state parameter validation.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29373
GHSA-v6gq-gxgm-g38r