Authentication Bypass Vulnerability in Drupal Authenticator Login Plugin
CVE-2025-8995

9.8CRITICAL

Key Information:

Vendor: Drupal
Status: Authenticator Login
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-8995?

A security vulnerability exists in the Authenticator Login plugin for Drupal, allowing attackers to bypass authentication mechanisms. This flaw affects versions prior to 2.1.4, enabling unauthorized access through alternate paths that exploit certain conditions. Web administrators are advised to review their implementations and apply necessary updates to mitigate potential risks.

Affected Version(s)

Authenticator Login 0.0.0 < 2.1.4

References

https://www.drupal.org/sa-contrib-2025-096

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Aug 13, 2025

Credit

Pierre Rudloff (prudloff)

Ahmed Raza (ahmed.raza)

Damien McKenna (damienmckenna)

Dan Smith (galooph)

Greg Knaddison (greggles)

Cathy Theys (yesct)