Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

Джерело:
Security advisories for contributed projects

Дата публікації:
04/02/2026 19:23

Постійна адреса новини:
http://www.vsinovyny.com/12659236

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

04/02/2026 19:23 // Security advisories for contributed projects

Project:

Date:

2026-February-04

Security risk:

Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

<2.1.3

CVE IDs:

CVE-2026-1917

Description:

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.

The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.

Solution:

Install the latest version:

If you use the Login Disable module, upgrade to Login Disable 2.1.3

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Boris Doesborg (batigolix)
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

» Читати повністю

«	Наступна новина з архіву РФ здійснила кібератаки на Італію, попри заклики до миру під час Олімпійських ігор	Попередня новина з архіву Israeli strikes kill at least 21 in Gaza as Rafah patient crossings halted	»