OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025 - Security-news

4 Mar 2026


      View online: https://www.drupal.org/sa-contrib-2026-025
Project: OpenID Connect / OAuth client [1]
Date: 2026-March-04
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Server-side request forgery, Information disclosure
Affected versions: <1.5.0
CVE IDs: CVE-2026-3530
Description: 
This module enables you to use an external OpenID Connect login provider to
authenticate and log in users on your site. If a user signs in with a login
provider for the first time on the website, a new Drupal user will be
created.
The module doesn't sufficiently validate certain fields coming from the
identity provider, which could lead to SSRF and information disclosures.
This vulnerability is mitigated by:
- an attacker must have access to the identity provider to provide
compromised data at the source profile.
- a site must have specific field mappings configured
Solution: 
Install the latest version:
* If you use the OpenID Connect 8.x-1.x module upgrade to OpenID Connect
    8.x-1.5 [3]
Reported By: 
  * Drew Webber (mcdruid) [4] of the Drupal Security Team
Fixed By: 
  * Drew Webber (mcdruid) [5] of the Drupal Security Team
  * Philip Frilling (pfrilling) [6]
Coordinated By: 
  * Damien McKenna (damienmckenna) [7] of the Drupal Security Team
  * Greg Knaddison (greggles) [8] of the Drupal Security Team
  * Drew Webber (mcdruid) [9] of the Drupal Security Team
  * Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/openid_connect
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5
[4] https://www.drupal.org/u/mcdruid
[5] https://www.drupal.org/u/mcdruid
[6] https://www.drupal.org/u/pfrilling
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/mcdruid
[10] https://www.drupal.org/u/poker10
[11]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....