View online: https://www.drupal.org/sa-contrib-2026-031 Project: SAML SSO - Service Provider [1] Date: 2026-April-01 Security risk: *Critical* 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Authentication bypass CVE IDs: CVE-2026-5343 Description:  This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability. Solution:  Install the latest version: If you are using the /SAML SSO - Service Provider/ module for Drupal, upgrade to SAML SSO - Service Provider 3.1.4 [3]. Reported By:  * Tim de Jong | Freelance Drupal Developer (tim_dj) [4] Fixed By:  * Sudhanshu Dhage (sudhanshu0542) [5] Coordinated By:  * Damien McKenna (damienmckenna) [6] of the Drupal Security Team * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team * Jess (xjm) [9] of the Drupal Security Team Security issue: https://git.drupalcode.org/security/40-miniorange_saml-security/-/issues/1 [10] ------------------------------------------------------------------------------ Contribution record [11] [1] https://www.drupal.org/project/miniorange_saml [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/miniorange_saml/releases/3.1.4 [4] https://www.drupal.org/u/tim_dj [5] https://www.drupal.org/u/sudhanshu0542 [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10 [9] https://www.drupal.org/u/xjm [10] https://git.drupalcode.org/security/40-miniorange_saml-security/-/issues/1 [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....