CVE-2026-3531

CVE-2026-3531: OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

Vendor Drupal
Product OpenID Connect / OAuth client
Weakness CWE-288
Published March 26, 2026
Last update March 30, 2026

CVSS base score

What the vulnerability does

01Description

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OAuth client allows Authentication Bypass.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.

Explanation of Vulnerability in Simple Terms

02Summary

A vulnerability in the Drupal OpenID Connect / OAuth client module before version 1.5.0 allows attackers to bypass authentication mechanisms. The exact attack vector and impact cannot be fully determined due to incomplete CVSS and CWE data. Site administrators should update to version 1.5.0 or later immediately.

What an attacker can do

03Attacker Capabilities

Bypass authentication or gain unauthorized access to the site.

Potential impact on your site

04Site Impact

Users may be able to access the site without proper authentication, or attackers may impersonate legitimate users.

Conditions required to exploit

05Prerequisites

Network access to the site; specific attack requirements unknown due to missing CVSS data.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 30, 2026 Record updated