Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005

Project:

Microsoft Entra ID SSO Login

Date:

2026-January-14

Security risk:

Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<1.0.4

CVE IDs:

CVE-2026-0948

Description:

This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.

The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.

Solution:

If you use the Microsoft Entra ID SSO Login, update to the module's latest version Microsoft Entra ID SSO Login 2.0.0 (or Microsoft Entra ID SSO Login 1.0.4).
Review the release notes and module documentation for information on how to update your configuration with the new module release.
Site administrators should also review their security settings after upgrading and consider enabling the "Block User 1" and "Block Administrator role" options for additional protection.

Reported By:

Fixed By:

Jaseer Kinangattil (jaseerkinangattil)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community