View online: https://www.drupal.org/sa-contrib-2025-023
Project: Two-factor Authentication (TFA) [1] Date: 2025-March-05 Security risk: *Moderately critical* 13 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Affected versions: <1.10.0 Description: This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur.
This vulnerability is mitigated by the fact that an attacker must obtain a first-factor login credential.
Solution: Install the latest version and run database updates:
1) If you use the Two-factor Authentication (TFA) module for Drupal 8.x, upgrade to Two-factor Authentication (TFA) 8.x-1.10 [3] 2) Run the database updates. See help documentation [4] on how to run database updates.
TFA 8.x-1.10 will provide a status report error if it detects a known route is being bypassed.
Caution: TFA 8.x-1.10 will attempt to restore these routes to expected norms. This may disable routes added by other modules.
Reported By: * Conrad Lara (cmlara) [5] * Elaman Imashov (elaman) [6]
Fixed By: * Conrad Lara (cmlara) [7]
Coordinated By: * Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/tfa [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tfa/releases/8.x-1.10 [4] https://www.drupal.org/docs/updating-drupal/updating-drupal-core-via-compose... [5] https://www.drupal.org/u/cmlara [6] https://www.drupal.org/u/elaman [7] https://www.drupal.org/u/cmlara [8] https://www.drupal.org/u/greggles