Authentication Bypass in Drupal Simple OAuth and OpenID Connect
CVE-2025-12466

7.5HIGH

Key Information:

Vendor: Drupal
Status: Simple Oauth (oauth2) & Openid Connect
Vendor: CVE Published:; 29 October 2025

What is CVE-2025-12466?

An authentication bypass vulnerability has been identified in Drupal's Simple OAuth and OpenID Connect modules. This flaw allows attackers to exploit alternate paths or channels to bypass standard authentication mechanisms. The issue primarily affects versions 6.0.0 to 6.0.6, making it essential for users to update to version 6.0.7 or later to ensure proper security measures are in place.

Affected Version(s)

Simple OAuth (OAuth2) & OpenID Connect 6.0.0 < 6.0.7

References

https://www.drupal.org/sa-contrib-2025-114

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 29, 2025
Vulnerability Reserved
Oct 29, 2025

Credit

coffeemakr

Bojan Bogdanovic (bojan_dev)

coffeemakr

Juraj Nemec (poker10)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

JSON