View online: https://www.drupal.org/sa-contrib-2026-027
Project: OpenID Connect / OAuth client [1] Date: 2026-March-04 Security risk: *Less critical* 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: <1.5.0 CVE IDs: CVE-2026-3532 Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.
Solution: Install the latest version:
* If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5 [3]
Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case [4] for additional guidance.
Reported By: * Eric Smith (ericgsmith) [5]
Fixed By: * Philip Frilling (pfrilling) [6]
Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [10]
[1] https://www.drupal.org/project/openid_connect [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5 [4] https://www.drupal.org/node/3486109 [5] https://www.drupal.org/u/ericgsmith [6] https://www.drupal.org/u/pfrilling [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/mcdruid [9] https://www.drupal.org/u/poker10 [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....