OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

Project:

OpenID Connect / OAuth client

Date:

2026-March-04

Security risk:

Less critical 9 ∕ 25 AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<1.5.0

CVE IDs:

CVE-2026-3532

Description:

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created.

The module doesn't sufficiently validate the uniqueness of certain user fields depending on the database engine and its collation.

As a result, a user may be able to register with the same email address as another user.

This may lead to data integrity issues.

Solution:

Install the latest version:

If you use the OpenID Connect 8.x-1.x module, upgrade to OpenID Connect 8.x-1.5

Updating OpenID Connect will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.

Reported By:

Eric Smith (ericgsmith)

Fixed By:

Philip Frilling (pfrilling)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Contribution record

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community