Primary

Context

Drupal Simple OAuth and OpenID Connect Authentication Bypass Vulnerability

Vulnerability

An authentication bypass vulnerability has been identified in the Drupal Simple OAuth (OAuth2) and OpenID Connect modules, specifically in versions 6.0.0 prior to 6.0.7. This vulnerability allows access bypass by not properly enforcing granted scopes, which can affect access checks based on user roles. For instance, routes requiring specific roles can be accessed without the necessary permissions if an access token is used.

Impact

Exploitation of this vulnerability allows for unauthorized access to routes and resources that require specific user roles, potentially leading to unauthorized actions or data access.

Remediation

Users of the affected Drupal Simple OAuth (OAuth2) and OpenID Connect modules should upgrade to version 6.0.7.

Added: Oct 30, 2025, 12:18 AM

Updated: Oct 30, 2025, 12:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

7.7

relevance

0.9

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal Simple OAuth and OpenID Connect Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating