Skip to main content

Openid Connect Oauth Client EUVDEUVD-2026-16389

| CVE-2026-3532 MEDIUM
Improper Handling of Case Sensitivity (CWE-178)
2026-03-26 drupal
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16389
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:04 nvd
MEDIUM 4.2

DescriptionCVE.org

Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

AnalysisAI

Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.

Technical ContextAI

The Drupal OpenID Connect / OAuth client module (CPE: cpe:2.3:a:drupal:openid_connect_/_oauth_client:*:*:*:*:*:*:*:*) implements federated authentication via OpenID Connect and OAuth 2.0 protocols. The vulnerability stems from CWE-178 (Improper Handling of Case Sensitivity), a weakness where the module fails to normalize or properly compare claims (such as user identifiers, email addresses, or group memberships) in a case-insensitive manner consistent with OAuth/OIDC specifications. Attackers can craft authentication payloads using alternative case variations of identity claims to bypass access control checks, potentially matching them to higher-privilege accounts or groups where case normalization was applied inconsistently. This is particularly dangerous in scenarios where usernames or email-based role assignments are case-sensitive in the OAuth provider but case-insensitive in Drupal's user database.

RemediationAI

Upgrade the Drupal OpenID Connect / OAuth client module to version 1.5.0 or later. This patched version addresses the case-sensitivity handling defect. Administrators should apply this update immediately to all Drupal installations using this module. Until patching is completed, implement network-level mitigations by restricting access to Drupal's OAuth callback endpoints (/oauth/authorize, /openid-connect/*) to trusted IP ranges or requiring additional authentication layers (such as WAF rules enforcing claim normalization on inbound OIDC responses). Additionally, review and standardize claim handling in custom code to ensure case-insensitive comparison of user identifiers and group memberships. Consult the vendor security advisory at https://www.drupal.org/sa-contrib-2026-027 for specific installation and verification steps.

Share

EUVD-2026-16389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy