Authentication Bypass Vulnerability in Drupal OpenID Connect / OAuth Client
CVE-2026-3531

6.5MEDIUM

Key Information:

Vendor: Drupal
Status: Openid Connect / Oauth Client
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3531?

An authentication bypass vulnerability has been identified in the Drupal OpenID Connect / OAuth client. This vulnerability allows an attacker to bypass intended authentication mechanisms by exploiting alternate paths or channels. The issue affects all versions prior to 1.5.0, potentially allowing unauthorized access to sensitive areas of protected resources. It is critical for users of the affected products to update to the latest versions to safeguard their applications from this security risk. For more details, visit the official Drupal advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenID Connect / OAuth client 0.0.0 < 1.5.0

References

https://www.drupal.org/sa-contrib-2026-026

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Kimberley Massey (kimberleycgm)

Philip Frilling (pfrilling)

Damien McKenna (damienmckenna)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

JSON

Drupal