View online: https://www.drupal.org/sa-contrib-2026-025
Project: OpenID Connect / OAuth client [1] Date: 2026-March-04 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Server-side request forgery, Information disclosure
Affected versions: <1.5.0 CVE IDs: CVE-2026-3530 Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate certain fields coming from the identity provider, which could lead to SSRF and information disclosures.
This vulnerability is mitigated by: - an attacker must have access to the identity provider to provide compromised data at the source profile. - a site must have specific field mappings configured
Solution: Install the latest version:
* If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect 8.x-1.5 [3]
Reported By: * Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By: * Drew Webber (mcdruid) [5] of the Drupal Security Team * Philip Frilling (pfrilling) [6]
Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Drew Webber (mcdruid) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [11]
[1] https://www.drupal.org/project/openid_connect [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/mcdruid [6] https://www.drupal.org/u/pfrilling [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/mcdruid [10] https://www.drupal.org/u/poker10 [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....