CVE-2026-3530

CVE-2026-3530: OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

Vendor Drupal
Product OpenID Connect / OAuth client
Weakness CWE-918 · SSRF
Published March 26, 2026
Last update March 30, 2026

CVSS base score

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

Explanation of Vulnerability in Simple Terms

02Summary

The OpenID Connect / OAuth client module for Drupal contains a server-side request forgery vulnerability that allows an attacker to make the site send HTTP requests to arbitrary internal or external systems. An attacker can exploit this by crafting a malicious request that causes the module to fetch content from unintended targets, potentially exposing internal services or data. Update to version 1.5.0 or later to resolve this issue.

What an attacker can do

03Attacker Capabilities

Make your site send HTTP requests to internal systems or external targets on the attacker's behalf.

Potential impact on your site

04Site Impact

Attackers could probe internal infrastructure, access private services, or exfiltrate data via forced requests from your Drupal site.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack vector details unavailable due to missing CVSS data.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 30, 2026 Record updated