{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1917", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-04T16:14:23.990Z", "datePublished": "2026-03-25T15:20:20.274Z", "dateUpdated": "2026-03-26T14:11:44.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}, "title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "datePublic": "2026-02-04T17:23:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Drupal", "product": "Login Disable", "collectionURL": "https://www.drupal.org/project/login_disable", "repo": "https://git.drupalcode.org/project/login_disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Boris Doesborg (batigolix)", "type": "remediation developer"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:38:48.497391Z", "id": "CVE-2026-1917", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:11:44.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:38:48.497391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:58:24.707Z"}}], "cna": {"title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Boris Doesborg (batigolix)"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Pierre Rudloff (prudloff)"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/login_disable", "vendor": "Drupal", "product": "Login Disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/login_disable", "defaultStatus": "unaffected"}], "datePublic": "2026-02-04T17:23:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1917", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:58:30.508Z", "dateReserved": "2026-02-04T16:14:23.990Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:20:20.274Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3."}], "id": "CVE-2026-1917", "lastModified": "2026-03-26T15:16:30.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:10.370", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-008"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Login Disable", "source": "cna", "vendor": "Drupal"}, "product": "login_disable", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T16:57:57.626398+00:00", "value": {"mitigation_remediation": ["Update the Login Disable module to version 2.1.3 or later to eliminate the authentication bypass.", "If updating immediately is not possible, disable the Login Disable module or restrict its usage to trusted administrators only.", "Verify that login and authentication mechanisms function correctly after the update or the temporary mitigation.", "Maintain monitoring of authentication logs for any unauthorized access attempts to detect potential exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Drupal Login Disable module is affected for all versions prior to 2.1.3, from the initial release 0.0.0 up to but excluding 2.1.3. The vulnerability applies to installations that have the module enabled in a Drupal CMS environment.", "description_and_impact": "The Login Disable module for Drupal contains an Authentication Bypass Using an Alternate Path or Channel vulnerability that allows attackers to bypass login controls and access protected functionality without proper credentials. This can lead to unauthorized data exposure, modification, or other privileged actions within the Drupal site. The weakness aligns with CWE-288, highlighting improper authorization handling.", "risk_and_exploitability": "The CVSS v3 score of 4.3 indicates moderate severity, and the EPSS score of under 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread or active exploitation. Based on the description, the likely attack vector is remote, where an attacker provides a crafted request through an alternate channel to trigger the bypass. Exploitation requires the module to be present and enabled; no local privilege escalation or additional software pre\u2011conditions are mentioned."}}}}, "created": "2026-03-26T11:43:02.930194+00:00", "updated": "2026-03-27T09:47:08.750475+00:00", "vendors": ["drupal", "drupal$PRODUCT$login_disable"]}