it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
- Date: Wed, 14 Jan 2026 17:57:33 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=cQv40vhj; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7A5EE8434A
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1B19482BE5
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-005
Project: Microsoft Entra ID SSO Login [1]
Date: 2026-January-14
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <1.0.4
CVE IDs: CVE-2026-0948
Description:
This module enables Drupal sites to authenticate users via Microsoft Entra ID
(formerly Azure AD) using OAuth 2.0.
The module doesn't sufficiently validate API responses from Microsoft
allowing complete account takeover of any user, including site
administrators, without requiring any credentials or access to the target's
email account.
Solution:
1) If you use the Microsoft Entra ID SSO Login, update to the module's
latest version Microsoft Entra ID SSO Login 2.0.0 [3] (or Microsoft Entra
ID SSO Login 1.0.4 [4]).
2) Review the release node and module documentation for information on how
to update your configuration with the new module release.
3) Site administrators should also review their security settings after
upgrading and consider enabling the "Block User 1" and "Block
Administrator role" options for additional protection.
Reported By:
* Ashish Verma (ashish.verma85) [5]
* Dheeraj Jhamtani (dheeraj jhamtani) [6]
* Marcelo Vani (marcelovani) [7]
Fixed By:
* Jaseer Kinangattil (jaseerkinangattil) [8]
Coordinated By:
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/social_auth_entra_id
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social_auth_entra_id/releases/2.0.0
[4] https://www.drupal.org/project/social_auth_entra_id/releases/1.0.4
[5] https://www.drupal.org/u/ashishverma85
[6] https://www.drupal.org/u/dheeraj-jhamtani
[7] https://www.drupal.org/u/marcelovani
[8] https://www.drupal.org/u/jaseerkinangattil
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/poker10
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3567531
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005, security-news, 14.01.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.