Skip to main content

Drupal Login Disable EUVDEUVD-2026-43074

| CVE-2026-15079 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-07-10 drupal GHSA-v36x-q6gx-86g9
5.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network-reachable brute-force attack requiring a low-privilege account; limited confidentiality and integrity impact from credential access, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 13, 2026 - 19:46 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
5.4 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:46 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Login Disable allows Brute Force. This issue affects Login Disable versions: from 0.0.0 to 2.1.4.

AnalysisAI

Brute-force credential attacks against Drupal sites running the Login Disable contrib module (versions 0.0.0 through 2.1.4) are enabled by the module's failure to restrict excessive authentication attempts (CWE-307). The module, intended to provide administrators with login-gating controls, paradoxically omits rate-limiting enforcement, allowing a low-privileged attacker to enumerate or compromise user credentials via automated requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Drupal account
Delivery
Target Login Disable-managed authentication endpoint
Exploit
Submit automated credential-stuffing requests
Execution
Bypass rate limiting due to CWE-307
Persist
Enumerate or compromise higher-privilege account credentials
Impact
Gain unauthorized account access

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Drupal site to have the Login Disable contrib module installed and active in a version prior to 2.1.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score is 5.4 (Medium), reflecting limited impact (C:L/I:L/A:N) and a requirement for low-privilege authentication (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege Drupal account on a site running Login Disable prior to 2.1.4 submits automated credential-stuffing requests against other user accounts using a leaked password list, exploiting the absence of rate limiting or lockout in the module. Because no throttling is enforced, thousands of attempts can be made in rapid succession without triggering a block, potentially yielding valid credentials for higher-privileged accounts. …
Remediation The primary fix is to update the Drupal Login Disable module to version 2.1.4 or later, which addresses the lack of authentication-attempt restriction per the vendor advisory at https://www.drupal.org/sa-contrib-2026-070. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy