CVE-2026-3530 PUBLISHED

OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

Assigner: drupal
Reserved: 04.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

Product Status

Vendor	Drupal
Product	OpenID Connect / OAuth client
Versions	Default: unaffected affected from 0.0.0 to 1.5.0 (excl.)

Credits

Drew Webber (mcdruid) finder
Drew Webber (mcdruid) remediation developer
Philip Frilling (pfrilling) remediation developer
Damien McKenna (damienmckenna) coordinator
Greg Knaddison (greggles) coordinator
Drew Webber (mcdruid) coordinator
Juraj Nemec (poker10) coordinator

References

https://www.drupal.org/sa-contrib-2026-025

Problem Types

CWE-918 Server-Side Request Forgery (SSRF) CWE

Impacts

CAPEC-664 Server Side Request Forgery