CVE-2026-3531 PUBLISHED

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Assigner: drupal
Reserved: 04.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

Product Status

Vendor	Drupal
Product	OpenID Connect / OAuth client
Versions	Default: unaffected affected from 0.0.0 to 1.5.0 (excl.)

Credits

Kimberley Massey (kimberleycgm) finder
Kimberley Massey (kimberleycgm) remediation developer
Philip Frilling (pfrilling) remediation developer
Damien McKenna (damienmckenna) coordinator
Greg Knaddison (greggles) coordinator
Juraj Nemec (poker10) coordinator

References

https://www.drupal.org/sa-contrib-2026-026

Problem Types

CWE-288 Authentication Bypass Using an Alternate Path or Channel CWE

Impacts

CAPEC-115 Authentication Bypass