SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 - Security-news

1 Apr 2026


      View online: https://www.drupal.org/sa-contrib-2026-031
Project: SAML SSO - Service Provider  [1]
Date: 2026-April-01
Security risk: *Critical* 19 ∕ 25
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Authentication bypass
CVE IDs: CVE-2026-5343
Description: 
This module enables you to perform SAML-protocol-based single-sign-on (SSO)
on a Drupal site.
The module doesn't sufficiently block access, leading to a authentication
bypass vulnerability.
Solution: 
Install the latest version:
If you are using the /SAML SSO - Service Provider/ module for Drupal, upgrade
to SAML SSO - Service Provider 3.1.4 [3].
Reported By: 
  * Tim de Jong | Freelance Drupal Developer (tim_dj) [4]
Fixed By: 
  * Sudhanshu Dhage (sudhanshu0542) [5]
Coordinated By: 
  * Damien McKenna (damienmckenna) [6] of the Drupal Security Team
  * Greg Knaddison (greggles) [7] of the Drupal Security Team
  * Juraj Nemec (poker10) [8] of the Drupal Security Team
  * Jess  (xjm) [9] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/40-miniorange_saml-security/-/issues/1
[10]
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/miniorange_saml
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/miniorange_saml/releases/3.1.4
[4] https://www.drupal.org/u/tim_dj
[5] https://www.drupal.org/u/sudhanshu0542
[6] https://www.drupal.org/u/damienmckenna
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/poker10
[9] https://www.drupal.org/u/xjm
[10]  
https://git.drupalcode.org/security/40-miniorange_saml-security/-/issues/1
[11]  
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....