OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Project:

OpenID Connect / OAuth client

Date:

2026-March-04

Security risk:

Moderately critical 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<1.5.0

CVE IDs:

CVE-2026-3531

Description:

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.

Solution:

Install the latest version:

If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Reported By:

Kimberley Massey (kimberleycgm)

Fixed By:

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community