View online: https://www.drupal.org/sa-contrib-2025-020 Project: OAuth2 Server [1] Date: 2025-February-26 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass Affected versions: <2.1.0 Description:  Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate. Solution:  Install the latest version: * If you use the OAuth2 server module for Drupal 2.x, upgrade to OAuth2 server 2.1.0 [3] Reported By:  * Pierre Rudloff (prudloff) [4] Fixed By:  * cafuego [5] * Lee Rowlands (larowlan) [6] of the Drupal Security Team Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team [1] https://www.drupal.org/project/oauth2_server [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/oauth2_server/releases/2.1.0 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/cafuego [6] https://www.drupal.org/u/larowlan [7] https://www.drupal.org/u/greggles