Main Vulnerability Database Vulnerabilities #VU123567

Improper access control in OpenID Connect / OAuth client - CVE-2026-3532

Published: March 5, 2026

Vulnerability identifier: #VU123567

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-3532

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: pfrilling

Affected software:
OpenID Connect / OAuth client

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected module does not sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation. A remote user can register with the same email address as another user.

How to mitigate CVE-2026-3532

Install updates from vendor's website.

Sources

https://www.drupal.org/sa-contrib-2026-027

Improper access control in OpenID Connect / OAuth client - CVE-2026-3532

Detailed vulnerability description

How to mitigate CVE-2026-3532

Sources

Please verify you're human