Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
AnalysisAI
Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.
Technical ContextAI
The affected module is TFA Basic Plugins for Drupal 7 (CPE implied: drupal:tfa_basic_plugins 7.x-1.0 through 7.x-1.2). Drupal 7 reached end-of-life in January 2025, making this module part of a legacy platform. The root cause is classified as CWE-267 (Privilege Defined With Unsafe Actions), which describes a situation where a granted privilege carries unintended side effects beyond its declared scope. Specifically, the 'administer users' permission - intended to manage account properties such as status, roles, or credentials - was implemented in a way that also permits reading and generating TFA recovery codes. Recovery codes are one-time-use fallback secrets that bypass the second authentication factor entirely, making unauthorized access to them a direct path to account takeover without requiring the target user's TOTP device.
RemediationAI
No vendor-released patched version is independently confirmed from the provided data; the security advisory at https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085 should be consulted directly for any available update or patch version. Since Drupal 7 is EOL, sites requiring continued support may engage HeroDevs extended support (referenced at https://www.herodevs.com/vulnerability-directory/cve-2026-6816) for patched builds. As a compensating control, site administrators should audit which accounts hold the 'administer users' permission and reduce that role's assignment to only fully trusted personnel; shrinking the set of users who can trigger this bypass directly reduces exposure. Additionally, administrators should review TFA recovery code logs for any anomalous access. The most impactful long-term remediation is migrating off Drupal 7 to a supported Drupal version, as the EOL status means future vulnerabilities will not receive upstream patches.
Same weakness CWE-267 – Privilege Defined With Unsafe Actions
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33229
GHSA-rgcr-rww9-8rr3