What the vulnerability does
01Description
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
Explanation of Vulnerability in Simple Terms
02Summary
The TFA Basic module for Drupal contains a privilege-escalation vulnerability affecting versions 7.x-1.0 through 7.x-1.2. An authenticated administrator can exploit improper access control to read or modify sensitive data within the module's scope. The vulnerability requires high-level privileges and does not involve user interaction. Site owners should update to a version newer than 7.x-1.2.
What an attacker can do
03Attacker Capabilities
Read or modify sensitive data within the TFA Basic module if they have administrator access.
Potential impact on your site
04Site Impact
An admin account could be misused to access or alter two-factor authentication settings or related sensitive data.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level privileges on the Drupal site.
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 29, 2026
Record updated