CVE-2026-1917 PUBLISHED

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

Assigner: drupal
Reserved: 04.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.

Product Status

Vendor	Drupal
Product	Login Disable
Versions	Default: unaffected affected from 0.0.0 to 2.1.3 (excl.)

Credits

Pierre Rudloff (prudloff) finder
Boris Doesborg (batigolix) remediation developer
Pierre Rudloff (prudloff) remediation developer
Greg Knaddison (greggles) coordinator
Juraj Nemec (poker10) coordinator
Pierre Rudloff (prudloff) coordinator

References

https://www.drupal.org/sa-contrib-2026-008

Problem Types

CWE-288 Authentication Bypass Using an Alternate Path or Channel CWE

Impacts

CAPEC-554 Functionality Bypass