Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
AnalysisAI
Improper case sensitivity handling in the Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 allows privilege escalation through authentication bypass mechanisms. Authenticated or remote attackers can exploit case-sensitivity weaknesses in identity claim validation to assume elevated permissions within Drupal systems relying on this module for federated authentication. The vulnerability affects all versions from 0.0.0 through 1.5.0, and vendor-released patch version 1.5.0 is available.
Technical ContextAI
The Drupal OpenID Connect / OAuth client module (CPE: cpe:2.3:a:drupal:openid_connect_/_oauth_client:*:*:*:*:*:*:*:*) implements federated authentication via OpenID Connect and OAuth 2.0 protocols. The vulnerability stems from CWE-178 (Improper Handling of Case Sensitivity), a weakness where the module fails to normalize or properly compare claims (such as user identifiers, email addresses, or group memberships) in a case-insensitive manner consistent with OAuth/OIDC specifications. Attackers can craft authentication payloads using alternative case variations of identity claims to bypass access control checks, potentially matching them to higher-privilege accounts or groups where case normalization was applied inconsistently. This is particularly dangerous in scenarios where usernames or email-based role assignments are case-sensitive in the OAuth provider but case-insensitive in Drupal's user database.
RemediationAI
Upgrade the Drupal OpenID Connect / OAuth client module to version 1.5.0 or later. This patched version addresses the case-sensitivity handling defect. Administrators should apply this update immediately to all Drupal installations using this module. Until patching is completed, implement network-level mitigations by restricting access to Drupal's OAuth callback endpoints (/oauth/authorize, /openid-connect/*) to trusted IP ranges or requiring additional authentication layers (such as WAF rules enforcing claim normalization on inbound OIDC responses). Additionally, review and standardize claim handling in custom code to ensure case-insensitive comparison of user identifiers and group memberships. Consult the vendor security advisory at https://www.drupal.org/sa-contrib-2026-027 for specific installation and verification steps.
More in Openid Connect Oauth Client
View allDrupal OpenID Connect / OAuth client versions before 1.5.0 contain an authentication bypass vulnerability that allows at
The Drupal OpenID Connect / OAuth client module versions prior to 1.5.0 contains a Server-Side Request Forgery (SSRF) vu
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16389