[Security-news] Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
security-news at drupal.org
security-news at drupal.org
Wed Jan 14 17:57:33 UTC 2026
View online: https://www.drupal.org/sa-contrib-2026-005
Project: Microsoft Entra ID SSO Login [1]
Date: 2026-January-14
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.0.4
CVE IDs: CVE-2026-0948
Description:
This module enables Drupal sites to authenticate users via Microsoft Entra ID
(formerly Azure AD) using OAuth 2.0.
The module doesn't sufficiently validate API responses from Microsoft
allowing complete account takeover of any user, including site
administrators, without requiring any credentials or access to the target's
email account.
Solution:
1) If you use the Microsoft Entra ID SSO Login, update to the module's
latest version Microsoft Entra ID SSO Login 2.0.0 [3] (or Microsoft Entra
ID SSO Login 1.0.4 [4]).
2) Review the release node and module documentation for information on how
to update your configuration with the new module release.
3) Site administrators should also review their security settings after
upgrading and consider enabling the "Block User 1" and "Block
Administrator role" options for additional protection.
Reported By:
* Ashish Verma (ashish.verma85) [5]
* Dheeraj Jhamtani (dheeraj jhamtani) [6]
* Marcelo Vani (marcelovani) [7]
Fixed By:
* Jaseer Kinangattil (jaseerkinangattil) [8]
Coordinated By:
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/social_auth_entra_id
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social_auth_entra_id/releases/2.0.0
[4] https://www.drupal.org/project/social_auth_entra_id/releases/1.0.4
[5] https://www.drupal.org/u/ashishverma85
[6] https://www.drupal.org/u/dheeraj-jhamtani
[7] https://www.drupal.org/u/marcelovani
[8] https://www.drupal.org/u/jaseerkinangattil
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/poker10
[11]
https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567531
More information about the Security-news
mailing list