Privilege Escalation Issue in Drupal's Two-factor Authentication Module
CVE-2025-7030

Currently unrated

Key Information:

Vendor: Drupal
Status: Two-factor Authentication (tfa)
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-7030?

The Two-factor Authentication (TFA) module in Drupal is susceptible to a privilege escalation vulnerability caused by incorrectly configured access control mechanisms. This security flaw allows attackers to exploit improperly set security levels, leading to unauthorized actions and access within the system. Users of versions from 0.0.0 up to 1.10.9 are particularly at risk, making it essential to upgrade to address these critical access control weaknesses.

Affected Version(s)

Two-factor Authentication (TFA) 0.0.0 < 1.11.0

References

https://www.drupal.org/sa-contrib-2025-085

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jul 2, 2025

Credit

Conrad Lara (cmlara)

cilefen (cilefen)

Dan Smith (galooph)

Greg Knaddison (greggles)

Jess (xjm)