Main Vulnerability Database Vulnerabilities #VU122399

Improper access control in Login Disable - CVE-2026-1917

Published: February 5, 2026

Vulnerability identifier: #VU122399

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-1917

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: budda

Affected software:
Login Disable

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not check for the access key when using the HTTP request login route. A remote user can log in without providing the access key.

How to mitigate CVE-2026-1917

Install updates from vendor's website.

Sources

https://www.drupal.org/sa-contrib-2026-008

Improper access control in Login Disable - CVE-2026-1917

Detailed vulnerability description

How to mitigate CVE-2026-1917

Sources

Please verify you're human