Access Bypass Vulnerability in Drupal TFA Basic Plugins
CVE-2026-6816

5.1MEDIUM

Key Information:

Vendor: Drupal
Status: Tfa Basic Plugins
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-6816?

An access bypass vulnerability in the TFA Basic Plugins for Drupal allows users with administrative permissions to view or generate recovery codes for other users. This issue poses a risk of unauthorized access to sensitive account recovery options, potentially compromising user security and privacy. Administrators should take immediate action to mitigate this vulnerability by upgrading to the patched versions.

Affected Version(s)

TFA Basic Plugins 7.x-1.0 <= 7.x-1.2

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

third-party-advisory

https://d7es.tag1.com/security-advisories/tfa-basic-plugi...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-6816 Data

JSON