Drupal Contrib Security

Project: Central Authentication System (CAS) ServerDate: 2026-January-28Security risk: Less critical 6 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:DefaultVulnerability: XML Element InjectionAffected versions: <2.0.3 || >=2.1.0 <2.1.2CVE IDs: CVE-2026-1554Description: 

This module enables you to turn a Drupal install into the Central Authentication System (CAS). It makes your database the primary location for other systems to use for authentication in a SSO environment.

The module doesn't sufficiently sanitize user-supplied field values configured to be included as attributes in a CAS server response.

This vulnerability is mitigated by the fact that an attacker must be authenticated, have the ability to enter XML into a user entity field, and that field be configured as a CAS Attribute source leading to an XML Element Injection vulnerability.

Solution: 

Install the latest version:

• If you use the CAS Server module for Drupal >=9.1.x or 10.x, upgrade to CAS Server 2.0.3
• If you use the CAS Server module for Drupal >=10.3.x or 11.x, upgrade to CAS Server 2.1.2

Reported By: 

• Gaël Gosset (gaëlg)

Fixed By: 

• Ted Cooper (elc)
• Gaël Gosset (gaëlg)
• Jaap Jansma (jaapjansma)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Drupal CanvasDate: 2026-January-28Security risk: Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2026-1553Description: 

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.

The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.

This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.

Solution: 

Install the latest version:

If you use the Drupal Canvas module, upgrade to Canvas 1.0.4.

Reported By: 

• jschref

Fixed By: 

• Bálint Kléri (balintbrews)
• Matt Glaman (mglaman)
• Christian López Espínola (penyaskito)
• Tim Plunkett (tim.plunkett)

Coordinated By: 

• Alex Bronstein (effulgentsia) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team

Project: Microsoft Entra ID SSO LoginDate: 2026-January-14Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.0.4CVE IDs: CVE-2026-0948Description: 

This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.

The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.

Solution: 

1. If you use the Microsoft Entra ID SSO Login, update to the module's latest version Microsoft Entra ID SSO Login 2.0.0 (or Microsoft Entra ID SSO Login 1.0.4).
2. Review the release notes and module documentation for information on how to update your configuration with the new module release.
3. Site administrators should also review their security settings after upgrading and consider enabling the "Block User 1" and "Block Administrator role" options for additional protection.

Reported By: 

• Ashish Verma (ashish.verma85)
• Dheeraj Jhamtani (dheeraj jhamtani)
• Marcelo Vani (marcelovani)

Fixed By: 

• Jaseer Kinangattil (jaseerkinangattil)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: AT Internet Piano AnalyticsDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1 || >=2.0.0 <2.3.1CVE IDs: CVE-2026-0947Description: 

This module integrates the AT Internet Piano Analytics service.

The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pianoanalytics".

Solution: 

Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.

• If you use the AT Internet Piano Analytics module for Drupal 10+, upgrade to AT Internet Piano Analytics 2.3.1
• If you use the AT Internet Piano Analytics module for Drupal 9, upgrade to AT Internet Piano Analytics 1.0.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Frank Mably (mably)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Project: AT Internet SmartTagDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <1.0.1CVE IDs: CVE-2026-0946Description: 

This module integrates the AT Internet SmartTag service.

The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag".

Solution: 

Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.

• If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to AT Internet SmartTag 1.0.1

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Frank Mably (mably)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Role DelegationDate: 2026-January-14Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=1.3.0 <1.5.0CVE IDs: CVE-2026-0945Description: 

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission.

The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.

This vulnerability is mitigated by the fact that an attacker must have access to a view of users with the Views Bulk Operations module enabled.

Solution: 

Install the latest version:

• If you use the Role Delegation module for Drupal ^10.3 || ^11, upgrade to Role Delegation 8.x-1.5

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Adam Bramley (acbramley)
• Dieter Holvoet (dieterholvoet)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Group inviteDate: 2026-January-14Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.3.9 || >=3.0.0 <3.0.4 || >=4.0.0 <4.0.4CVE IDs: CVE-2026-0944Description: 

This module enables allows group managers to invite people into their group.

The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.

This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.

Solution: 

Install the latest version:

• If you use the Group Invite module 2.3.x, upgrade to Group Invite 2.3.9
• If you use the Group Invite module 3.0.x, upgrade to Group Invite 3.0.4
• If you use the Group Invite module 4.0.x, upgrade to Group Invite 4.0.4

Reported By: 

• Kevin Quillen (kevinquillen)

Fixed By: 

• eduardo morales alberti
• Kevin Quillen (kevinquillen)
• Nikolay Lobachev (lobsterr)
• Ricardo Sanz Ante (tunic)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: HTTP Client ManagerDate: 2025-December-17Security risk: Less critical 8 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information disclosureAffected versions: <9.3.13 || >=10.0.0 <10.0.2 || >=11.0.0 <11.0.1CVE IDs: CVE-2025-14840Description: 

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.

The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.

Solution: 

Install the latest version:

• If you use the Http Client Manager module 9.3.x, upgrade to Http Client Manager 9.3.13
• If you use the Http Client Manager module 10.0.x, upgrade to Http Client Manager 10.0.2
• If you use the Http Client Manager module 11.0.x, upgrade to Http Client Manager 11.0.1

Reported By: 

• mxh

Fixed By: 

• Adriano Cori (aronne)
• mxh

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Acquia Content HubDate: 2025-December-10Security risk: Moderately critical 11 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Cross-Site Request ForgeryAffected versions: <3.6.4 || >=3.7.0 <3.7.3CVE IDs: CVE-2025-14472Description: 

This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites.

The module doesn't sufficiently protect export routes from cross-site request forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into exporting an unwanted entity.

Solution: 

Install the latest version:

• If you use Acquia Content Hub 3.6.x, upgrade to Acquia Content Hub 3.6.4.
• If you use Acquia Content Hub 3.7.x, upgrade to Acquia Content Hub 3.7.3.
• The latest version, Acquia Content Hub 3.8.0, is also now available with both the security fix and other improvements.

Reported By: 

• Lee Rowlands (larowlan) of the Drupal Security Team

Fixed By: 

• Kirti Garg (kirti_garg)
• Narendra Shenvi Desai (n4r3n)
• Peter Pajor (pajor)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Disable Login PageDate: 2025-December-03Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.1.3CVE IDs: CVE-2025-13986Description: 

This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.

The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.

This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.

Solution: 

Install the latest version:

• If you use the Disable Login Page module, upgrade to Disable Login Page 1.1.3

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Anoop John (anoopjohn)
• Jijo Joseph (jijojoseph_zyxware)
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By: 

• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Entity ShareDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <3.13.0CVE IDs: CVE-2025-13985Description: 

This module enables you to deploy content from one Drupal website to another.

The module provides some default configuration without sufficient access control.

This vulnerability is mitigated by the fact that an administrator can add some default access control permission.

Solution: 

Install the latest version:

• If you use the Entity Share module for Drupal on branch 8.x-3.x, upgrade to Entity Share 8.x-3.13.

For a hotfix without upgrading the module, edit the entity_share_client_entity_import_status view to ensure access permissions are set.

Reported By: 

• Jürgen Haas (jurgenhaas)

Fixed By: 

• Florent Torregrosa (grimreaper)
• Joachim Noreiko (joachim)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• cilefen (cilefen) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Next.jsDate: 2025-December-03Security risk: Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.6.4 || >=2.0.0 <2.0.1CVE IDs: CVE-2025-13984Description: 

This module enables integration between Next.js and Drupal for headless CMS functionality.

When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.

This vulnerability affects all installations as there are no configuration options to disable this behavior.

Solution: 

There are two steps to resolve the issue: Install the latest version and review your configuration,

1. Update the module:
   • If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1.
   • If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4.

2. After upgrading, review the CORS configuration in sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration.

Reported By: 

• Mike Decker (pookmish)

Fixed By: 

• Brian Perry (brianperry)
• Rob Decker (rrrob)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: TagifyDate: 2025-December-03Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.2.44CVE IDs: CVE-2025-13983Description: 

This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.

The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.

Solution: 

Install the latest version:

• If you use the Tagify module for Drupal, upgrade to Tagify 1.2.44.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• David Galeano (gxleano)
• Lee Rowlands (larowlan) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Login Time RestrictionDate: 2025-December-03Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:AllVulnerability: Cross-Site Request ForgeryAffected versions: <1.0.3CVE IDs: CVE-2025-13982Description: 

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.

The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.

Solution: 

Install the latest version:

• If you use the Login Time Restriction module for Drupal, upgrade to Login Time Restriction v1.0.3.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• Kunal Singh (kunal_singh)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: AI (Artificial Intelligence)Date: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <1.0.7 || >=1.1.0 <1.1.7 || >=1.2.0 <1.2.4CVE IDs: CVE-2025-13981Description: 

This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.

The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.

Solution: 

Install the latest version:

• If you use the AI module 1.0.x, upgrade to AI 1.0.7.
• If you use the AI module 1.1.x, upgrade to AI 1.1.7.
• If you use the AI module 1.2.x, upgrade to AI 1.2.4.

Reported By: 

• Drew Webber (mcdruid) of the Drupal Security Team

Fixed By: 

• Marcus Johansson (marcus_johansson)

Coordinated By: 

• Bram Driesen (bramdriesen) provisional member of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Drew Webber (mcdruid) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: CKEditor 5 Premium FeaturesDate: 2025-December-03Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: <1.2.10 || >=1.3.0 <1.3.6 || >=1.4.0 <1.4.3 || >=1.5.0 <1.5.1 || >=1.6.0 <1.6.4CVE IDs: CVE-2025-13980Description: 

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.

This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.

This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.

Solution: 

Install the latest version:

• If you use the 10.3 or higher or 11.x versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.6.4.
• If you use the 10.0 to 10.2 versions of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.5.1.
• If you use the 9.x version of Drupal core, upgrade the module to CKEditor 5 Premium Features 1.3.6.

A fix was also released to already unsupported branches. However, we recommend to use the latest version that works with the version of Drupal core that you're using:

• CKEditor 5 Premium Features 1.4.3.
• CKEditor 5 Premium Features 1.2.10.

After the module is updated, if you are using the Export to Word or Export to PDF plugins, please grant the Use exporters endpoints permission to roles that are allowed to use text formats with export plugins enabled.

Reported By: 

• Wojciech Kukowski (salmonek)

Fixed By: 

• Wojciech Kukowski (salmonek)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Mini siteDate: 2025-December-03Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-Site ScriptingAffected versions: <3.0.2CVE IDs: CVE-2025-13979Description: 

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.

These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission create [bundle] content permission.

Solution: 

Two steps are required. Install the latest version and adjust configuration:

1. If you use Mini site 2.x or 3.x versions, upgrade to the Mini site 3.0.2.

2. A new manage minisites permission has been added. This new permission will need to be assigned to a trusted role for the user to be able to upload the zip file.

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• cb_govcms

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team

Project: Simple multi step formDate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross-site ScriptingAffected versions: <2.0.0CVE IDs: CVE-2025-12761Description: 

This module provides the ability to convert any entity form into a simple multi-step form.

The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer node form display”.

Solution: 

Install the latest version:

• If you use the Simple multi step form module for Drupal, upgrade to a release from the 2.x branch, as the 8.x-1.x branch is now unsupported

Reported By: 

• Ide Braakman (idebr)

Fixed By: 

• Diosbel Mezquía (dmezquia)
• Ide Braakman (idebr)
• Vitaliy Bogomazyuk (vitaliyb98)

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team

Project: Email TFADate: 2025-November-05Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <2.0.6CVE IDs: CVE-2025-12760Description: 

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution: 

Install the latest version:

• If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By: 

• Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By: 

• abdulaziz zaid

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Pierre Rudloff (prudloff)

Project: Simple OAuth (OAuth2) & OpenID ConnectDate: 2025-October-29Security risk: Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=6.0.0 <6.0.7CVE IDs: CVE-2025-12466Description: 

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them.

The module doesn't sufficiently respect granted scopes, it affects all access checks that are based on roles. For example: routes that have the _role requirement, can be bypassed with an access token.

This vulnerability is mitigated by the fact that an attacker must have the access token in possession and the user related to the token must have the associated (role requirement) roles assigned.

Update: the Affected versions field was updated to reflect that this vulnerability was present in the 6.0.0 release and fixed in 6.0.7. Earlier versions of this advisory incorrectly stated that other versions were affected.

Solution: 

Install the latest version:

• If you use the "Simple OAuth (OAuth2) & OpenID Connect" module for Drupal, upgrade to Simple OAuth (OAuth2) & OpenID Connect 6.0.7

Reported By: 

• coffeemakr

Fixed By: 

• Bojan Bogdanovic (bojan_dev)
• coffeemakr
• Juraj Nemec (poker10) of the Drupal Security Team

Coordinated By: 

• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team