—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in SAML SSO Plugin of Drupal

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

SAML SSO Plugin of Drupal version prior to 3.1.4

Overview

A critical vulnerability has been reported in the SAML SSO  Service Provider module for Drupal that could allow a remote attacker to obtain sensitive information or bypass access controls on the targeted system.

Target Audience:

All end-user organizations and individuals using Drupal installations with the affected SAML SSO module.

Risk Assessment:

Very high risk of access bypass, unauthorized access to sensitive information.

Impact Assessment:

Potential impact on confidentiality, integrity, and availability of the system.

Description

Drupal is an open-source, content management system (CMS) and web application framework.

A critical vulnerability exists in the SAML SSO  Service Provider module that allows an authentication bypass vulnerability due to improper enforcement of access restrictions during the SAML authentication process. An attacker may exploit this flaw by manipulating SAML responses or authentication flows.

Successful exploitation of this vulnerability could allow an attacker to bypass access controls and can obtain sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.drupal.org/sa-contrib-2026-031

Vendor Information

Drupal

https://www.drupal.org/sa-contrib-2026-031

References

 

https://www.drupal.org/sa-contrib-2026-031

CVE Name

CVE-2026-5343

– – —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnVIqcACgkQ3jCgcSdc

ys8pWQ/8CJrRocCWxQv9afn6BrWnMBPdiStFJG/g8y6I1oVN+3OBdP2GAwLr5QCe

PzVjuzdCd6LlElO700JBbh+9zIOHlt5HCI+UzmJQfaSoZbw00IU/fWhnEEJj8HD2

yui14DmrvOJc9qWyAXzI7Y3YDWQ9FaogBml1/pJFBQXpvroqhXFd9jOhT1PbToaH

y57mv3sNa6xop/wiUN1KE7IpssAnNUog6k+o81iCrV053+wrFT/p5yn+PwuVMYda

+M8GwsR1ZuKdvfLSfFonG+V0/efEiyGlKr1GRsrjUc1DMw/3eT1Ykx4F0AsfVbgE

sYrho8axqeEXmSpkKFRQme7poqEK0qG0hLLb6LerpXmHlAAsddiTceG/9myQIIpX

ISqil5ueTjn7Yfqh+w0ABB5t809zv+dkrafsP1Lb9+B8O9eCtIzImhKIg/bU0Q0N

WH8SFWUXxQbcfN3gz/4s6LAWKstvIL0uf0n2ztiCp7XLWN9qpv9gpiIN3xsTED49

wkQl0+23x1gvCDVAp7CjQcvoOdmfIAx5gk/03ro/lARxvr7zo+R4YS6erLmUG27L

rfHBImkfl/3bMOPM2/ofV4djnjwGkDQTIGdCnhmTAKllCsPzBJN0eVKnwJq+Gvs5

W/Cgr45fPa3Zr3gycT4oXRctYueQwE2D4X5Aic8gCTtOmd1zzO4=

=Xyif

—–END PGP SIGNATURE—–