View online: https://www.drupal.org/sa-contrib-2026-005
Project: Microsoft Entra ID SSO Login [1] Date: 2026-January-14 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <1.0.4 CVE IDs: CVE-2026-0948 Description: This module enables Drupal sites to authenticate users via Microsoft Entra ID (formerly Azure AD) using OAuth 2.0.
The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials or access to the target's email account.
Solution: 1) If you use the Microsoft Entra ID SSO Login, update to the module's latest version Microsoft Entra ID SSO Login 2.0.0 [3] (or Microsoft Entra ID SSO Login 1.0.4 [4]). 2) Review the release node and module documentation for information on how to update your configuration with the new module release. 3) Site administrators should also review their security settings after upgrading and consider enabling the "Block User 1" and "Block Administrator role" options for additional protection.
Reported By: * Ashish Verma (ashish.verma85) [5] * Dheeraj Jhamtani (dheeraj jhamtani) [6] * Marcelo Vani (marcelovani) [7]
Fixed By: * Jaseer Kinangattil (jaseerkinangattil) [8]
Coordinated By: * Greg Knaddison (greggles) [9] of the Drupal Security Team * Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [11]
[1] https://www.drupal.org/project/social_auth_entra_id [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social_auth_entra_id/releases/2.0.0 [4] https://www.drupal.org/project/social_auth_entra_id/releases/1.0.4 [5] https://www.drupal.org/u/ashishverma85 [6] https://www.drupal.org/u/dheeraj-jhamtani [7] https://www.drupal.org/u/marcelovani [8] https://www.drupal.org/u/jaseerkinangattil [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/poker10 [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....