View online: https://www.drupal.org/sa-contrib-2026-026
Project: OpenID Connect / OAuth client [1] Date: 2026-March-04 Security risk: *Moderately critical* 10 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass
Affected versions: <1.5.0 CVE IDs: CVE-2026-3531 Description: This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.
A visitor who successfully logs in to their Identity Provider and is denied access to Drupal through custom code or a server error will maintain their session at the Identity Provider, possibly leading to access bypass situations, especially in a shared computing environment.
Solution: Install the latest version:
* If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5 [3]
Reported By: * Kimberley Massey (kimberleycgm) [4]
Fixed By: * Kimberley Massey (kimberleycgm) [5] * Philip Frilling (pfrilling) [6]
Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [10]
[1] https://www.drupal.org/project/openid_connect [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5 [4] https://www.drupal.org/u/kimberleycgm [5] https://www.drupal.org/u/kimberleycgm [6] https://www.drupal.org/u/pfrilling [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....