Skip to main content

TFA Basic Plugins EUVDEUVD-2026-33229

| CVE-2026-6816 MEDIUM
Privilege Defined With Unsafe Actions (CWE-267)
2026-05-28 mlhess@drupal.org GHSA-rgcr-rww9-8rr3
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 23:30 vuln.today

DescriptionCVE.org

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.

This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.

AnalysisAI

Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.

Technical ContextAI

The affected module is TFA Basic Plugins for Drupal 7 (CPE implied: drupal:tfa_basic_plugins 7.x-1.0 through 7.x-1.2). Drupal 7 reached end-of-life in January 2025, making this module part of a legacy platform. The root cause is classified as CWE-267 (Privilege Defined With Unsafe Actions), which describes a situation where a granted privilege carries unintended side effects beyond its declared scope. Specifically, the 'administer users' permission - intended to manage account properties such as status, roles, or credentials - was implemented in a way that also permits reading and generating TFA recovery codes. Recovery codes are one-time-use fallback secrets that bypass the second authentication factor entirely, making unauthorized access to them a direct path to account takeover without requiring the target user's TOTP device.

RemediationAI

No vendor-released patched version is independently confirmed from the provided data; the security advisory at https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085 should be consulted directly for any available update or patch version. Since Drupal 7 is EOL, sites requiring continued support may engage HeroDevs extended support (referenced at https://www.herodevs.com/vulnerability-directory/cve-2026-6816) for patched builds. As a compensating control, site administrators should audit which accounts hold the 'administer users' permission and reduce that role's assignment to only fully trusted personnel; shrinking the set of users who can trigger this bypass directly reduces exposure. Additionally, administrators should review TFA recovery code logs for any anomalous access. The most impactful long-term remediation is migrating off Drupal 7 to a supported Drupal version, as the EOL status means future vulnerabilities will not receive upstream patches.

Share

EUVD-2026-33229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy