Skip to main content

Tfa Basic Plugins

1 CVEs product

Monthly

CVE-2026-6816 MEDIUM This Month

Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.

Authentication Bypass Tfa Basic Plugins
NVD HeroDevs
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM This Month

Access bypass in Drupal TFA Basic Plugins 7.x-1.0 through 7.x-1.2 allows authenticated site administrators holding the 'administer users' permission to view or generate two-factor authentication recovery codes belonging to other user accounts. This undermines the integrity of TFA enrollment by granting a permission scope - user administration - unintended access to sensitive authentication secrets. No public exploit code exists and no active exploitation has been confirmed; however, the risk is meaningful in multi-admin deployments where role separation is relied upon to enforce least-privilege access to authentication credentials.

Authentication Bypass Tfa Basic Plugins
NVD HeroDevs

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy