View online: https://www.drupal.org/sa-contrib-2026-027 Project: OpenID Connect / OAuth client [1] Date: 2026-March-04 Security risk: *Less critical* 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass Affected versions: <1.5.0 CVE IDs: CVE-2026-3532 Description:  This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. Solution:  Install the latest version: * If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5 [3] Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case [4] for additional guidance. Reported By:  * Eric Smith (ericgsmith) [5] Fixed By:  * Philip Frilling (pfrilling) [6] Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team * Drew Webber (mcdruid) [8] of the Drupal Security Team * Juraj Nemec (poker10) [9] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [10] [1] https://www.drupal.org/project/openid_connect [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/openid_connect/releases/8.x-1.5 [4] https://www.drupal.org/node/3486109 [5] https://www.drupal.org/u/ericgsmith [6] https://www.drupal.org/u/pfrilling [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/mcdruid [9] https://www.drupal.org/u/poker10 [10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....