Authorization Bypass in Drupal OAuth2 Server
CVE-2025-31691

9.8CRITICAL

Key Information:

Vendor: Drupal
Status: Oauth2 Server
Vendor: CVE Published:; 31 March 2025

Summary

A missing authorization vulnerability in the Drupal OAuth2 Server could allow attackers to perform forceful browsing, gaining unauthorized access to sensitive information. This flaw affects versions of the OAuth2 Server plugin from 0.0.0 up until 2.1.0, providing a significant security risk for users who have not updated to the latest version. It is crucial for administrators to address this issue promptly to protect their applications from potential exploitation.

Affected Version(s)

OAuth2 Server 0.0.0 < 2.1.0

References

https://www.drupal.org/sa-contrib-2025-020

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

Pierre Rudloff (prudloff)

cafuego

Lee Rowlands (larowlan)

Greg Knaddison (greggles)