Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-reachable brute-force attack requiring a low-privilege account; limited confidentiality and integrity impact from credential access, no availability impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.
AnalysisAI
Brute-force credential attacks against Drupal sites running the Login Disable contrib module (versions 0.0.0 through 2.1.4) are enabled by the module's failure to restrict excessive authentication attempts (CWE-307). The module, intended to provide administrators with login-gating controls, paradoxically omits rate-limiting enforcement, allowing a low-privileged attacker to enumerate or compromise user credentials via automated requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Drupal site to have the Login Disable contrib module installed and active in a version prior to 2.1.4. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score is 5.4 (Medium), reflecting limited impact (C:L/I:L/A:N) and a requirement for low-privilege authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege Drupal account on a site running Login Disable prior to 2.1.4 submits automated credential-stuffing requests against other user accounts using a leaked password list, exploiting the absence of rate limiting or lockout in the module. Because no throttling is enforced, thousands of attempts can be made in rapid succession without triggering a block, potentially yielding valid credentials for higher-privileged accounts. … |
| Remediation | The primary fix is to update the Drupal Login Disable module to version 2.1.4 or later, which addresses the lack of authentication-attempt restriction per the vendor advisory at https://www.drupal.org/sa-contrib-2026-070. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Login Disable
View allThe Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the user_lo
The Drupal Login Disable module contains an authentication bypass vulnerability (CWE-288) that allows attackers to circu
Improper Authentication vulnerability in Drupal Login Disable allows Exploiting Incorrectly Configured Access Control Se
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43074
GHSA-v36x-q6gx-86g9