{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1917", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-04T16:14:23.990Z", "datePublished": "2026-03-25T15:20:20.274Z", "dateUpdated": "2026-03-26T14:11:44.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}, "title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "datePublic": "2026-02-04T17:23:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Drupal", "product": "Login Disable", "collectionURL": "https://www.drupal.org/project/login_disable", "repo": "https://git.drupalcode.org/project/login_disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Boris Doesborg (batigolix)", "type": "remediation developer"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:38:48.497391Z", "id": "CVE-2026-1917", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:11:44.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:38:48.497391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:58:24.707Z"}}], "cna": {"title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Boris Doesborg (batigolix)"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Pierre Rudloff (prudloff)"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/login_disable", "vendor": "Drupal", "product": "Login Disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/login_disable", "defaultStatus": "unaffected"}], "datePublic": "2026-02-04T17:23:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1917", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:11:44.215Z", "dateReserved": "2026-02-04T16:14:23.990Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:20:20.274Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3."}], "id": "CVE-2026-1917", "lastModified": "2026-03-26T15:16:30.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:10.370", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-008"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Login Disable", "source": "cna", "vendor": "Drupal"}, "product": "login_disable", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T22:07:04.637372+00:00", "value": {"mitigation_remediation": ["Apply the latest Login Disable update (v2.1.3 or newer).", "If updating is not immediately possible, restrict access to the Login Disable module or disable the vulnerable functionality.", "Monitor authentication logs for anomalous activity and apply network segmentation to limit direct exposure to the vulnerable endpoint."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "This issue affects the Drupal Login Disable module for all released versions from 0.0.0 up to, but not including, 2.1.3. System administrators should verify whether any of these versions are present on their sites and actively running the module.", "description_and_impact": "Drupal Login Disable contains a flaw that allows an attacker to bypass normal authentication by using an alternate path or channel. The vulnerability permits unintended access to protected functionality without proper credentials, effectively weakening the authentication controls classified under CWE-288.", "risk_and_exploitability": "The CVSS score of 7.3 indicates a high severity, but EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a web\u2011based request that targets an alternate authentication channel; no special privileges or pre\u2011conditions are needed other than access to the vulnerable functionality."}}}}, "created": "2026-03-26T11:43:02.930194+00:00", "updated": "2026-03-26T12:13:24.369806+00:00", "vendors": ["drupal", "drupal$PRODUCT$login_disable"]}