{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3532", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:42:01.310Z", "datePublished": "2026-03-26T20:04:03.160Z", "dateUpdated": "2026-03-27T13:53:59.637Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:04:03.160Z"}, "title": "OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027", "datePublic": "2026-03-04T18:02:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-178", "description": "CWE-178 Improper Handling of Case Sensitivity", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "Drupal", "product": "OpenID Connect / OAuth client", "collectionURL": "https://www.drupal.org/project/openid_connect", "repo": "https://git.drupalcode.org/project/openid_connect", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.<p>This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-027"}], "credits": [{"lang": "en", "value": "Eric Smith (ericgsmith)", "type": "finder"}, {"lang": "en", "value": "Philip Frilling (pfrilling)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:53:56.616725Z", "id": "CVE-2026-3532", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:53:59.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Eric Smith (ericgsmith)"}, {"lang": "en", "type": "remediation developer", "value": "Philip Frilling (pfrilling)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/openid_connect", "vendor": "Drupal", "product": "OpenID Connect / OAuth client", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.5.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/openid_connect", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T18:02:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-027"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.<p>This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178 Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:04:03.160Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:53:56.616725Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:53:51.431Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-3532", "state": "PUBLISHED", "dateUpdated": "2026-03-26T20:04:03.160Z", "dateReserved": "2026-03-04T16:42:01.310Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:04:03.160Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0."}, {"lang": "es", "value": "Vulnerabilidad de manejo incorrecto de la sensibilidad a may\u00fasculas y min\u00fasculas en el cliente Drupal OpenID Connect / OAuth permite la escalada de privilegios. Este problema afecta al cliente OpenID Connect / OAuth: desde la 0.0.0 anterior a la 1.5.0."}], "id": "CVE-2026-3532", "lastModified": "2026-03-30T13:26:50.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.420", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-027"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "OpenID Connect / OAuth client", "source": "cna", "vendor": "Drupal"}, "product": "openid", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T16:26:13.679255+00:00", "value": {"mitigation_remediation": ["Update the Drupal OpenID Connect / OAuth client to version 1.5.0 or later.", "If an upgrade is not immediately possible, temporarily disable or remove the module from the site.", "Verify that authentication configurations enforce proper case sensitivity and that user accounts are protected.", "Monitor site logs for suspicious authentication attempts and apply additional hardening as needed."], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The Drupal OpenID Connect / OAuth client is affected, with all releases from the initial 0.0.0 up through version 1.4.x vulnerable; administrators should verify the installed version and plan an upgrade to 1.5.0 or later.", "description_and_impact": "An improper handling of case sensitivity in the Drupal OpenID Connect / OAuth client allows an attacker to bypass access controls by supplying variations in user identifiers, thereby elevating privileges or impersonating accounts. The flaw leads to privilege escalation, and it aligns with CWE-178: Improper Treatment of Case.", "risk_and_exploitability": "The CVSS score of 4.2 indicates low severity, and the EPSS of less than 1\u202f% along with the absence from the KEV catalog suggest that exploitation is unlikely. However, if the module is enabled and an attacker can craft an authentication request, privilege escalation is possible; the risk remains low but warrants timely remediation."}}}}, "created": "2026-03-27T08:32:12.653900+00:00", "updated": "2026-03-27T20:26:04.149565+00:00", "vendors": ["drupal", "drupal$PRODUCT$openid"]}