it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
- Date: Wed, 4 Feb 2026 17:23:41 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=jeUzn+sx; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7E2E041194
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6D8EA8230B
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-008
Project: Login Disable [1]
Date: 2026-February-04
Security risk: *Less critical* 8 ∕ 25
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <2.1.3
CVE IDs: CVE-2026-1917
Description:
The Login Disable module prevents users from logging in to your Drupal site
unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin [3] )
If they provide the access key and have a specific role they can log in.
The module does not check for the access key when using the HTTP request
login route. It is possible to use this route to log in without providing the
access key.
Solution:
Install the latest version:
* If you use the Login Disable module, upgrade to Login Disable 2.1.3 [4]
Reported By:
* Pierre Rudloff (prudloff) [5] provisional member of the Drupal Security
Team
Fixed By:
* Boris Doesborg (batigolix) [6]
* Pierre Rudloff (prudloff) [7] provisional member of the Drupal Security
Team
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Pierre Rudloff (prudloff) [10] provisional member of the Drupal Security
Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/login_disable
[2] https://www.drupal.org/security-team/risk-levels
[3] http://example.com/user/login?admin
[4] https://www.drupal.org/project/login_disable/releases/2.1.3
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/batigolix
[7] https://www.drupal.org/u/prudloff
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/prudloff
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3571527
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008, security-news, 04.02.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.