{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1917", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-04T16:14:23.990Z", "datePublished": "2026-03-25T15:20:20.274Z", "dateUpdated": "2026-03-26T14:11:44.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}, "title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "datePublic": "2026-02-04T17:23:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"vendor": "Drupal", "product": "Login Disable", "collectionURL": "https://www.drupal.org/project/login_disable", "repo": "https://git.drupalcode.org/project/login_disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Boris Doesborg (batigolix)", "type": "remediation developer"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}, {"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:38:48.497391Z", "id": "CVE-2026-1917", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:11:44.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1917", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:38:48.497391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:58:24.707Z"}}], "cna": {"title": "Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Boris Doesborg (batigolix)"}, {"lang": "en", "type": "remediation developer", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}, {"lang": "en", "type": "coordinator", "value": "Pierre Rudloff (prudloff)"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/login_disable", "vendor": "Drupal", "product": "Login Disable", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "2.1.3", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/login_disable", "defaultStatus": "unaffected"}], "datePublic": "2026-02-04T17:23:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-008"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3.", "supportingMedia": [{"type": "text/html", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.<p>This issue affects Login Disable: from 0.0.0 before 2.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:20:20.274Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1917", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:11:44.215Z", "dateReserved": "2026-02-04T16:14:23.990Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:20:20.274Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:budda:login_disable:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "8B1365FE-349C-46F5-A021-2C6AE029543F", "versionEndExcluding": "2.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3."}, {"lang": "es", "value": "Vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n Usando una Ruta o Canal Alternativo en Drupal Login Disable permite la Omisi\u00f3n de Funcionalidad. Este problema afecta a Login Disable: desde 0.0.0 antes de 2.1.3."}], "id": "CVE-2026-1917", "lastModified": "2026-04-02T20:37:38.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:10.370", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-008"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Login Disable", "source": "cna", "vendor": "Drupal"}, "product": "login_disable", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-03T00:05:14.465793+00:00", "value": {"mitigation_remediation": ["Upgrade the Login Disable module to version 2.1.3 or later.", "If a patch cannot be applied immediately, disable or uninstall the module until it can be updated.", "Check any custom routes or code that relies on the module\u2019s alternate authentication paths and modify them to avoid vulnerable behavior.", "Keep an eye on access logs for suspicious authentication attempts using alternate channels."], "summary": {"action": "Apply patch", "impact": "Authentication Bypass via Alternate Path"}, "threat_synthesis": {"affected_systems": "Drupal sites running the Login Disable module from initial release up through version 2.1.2 are affected. Versions 2.1.3 and later contain the fix. The affected module is identified by its CPE designation but is typically referenced as the Login Disable module in Drupal installations.", "description_and_impact": "The Login Disable module for Drupal allows an attacker to bypass the normal login process by using an alternate route or channel within the module\u2019s functionality. This flaw, classified as CWE\u2011288, can grant unauthorized users access to areas of a Drupal site that normally require valid credentials, potentially enabling information disclosure or administrative actions.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low-to\u2011moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to target a site that has the vulnerable module installed and exploit the alternate authentication path. No evidence exists that exploitation requires privileged access or knowledge beyond the public web root."}}}}, "created": "2026-03-26T11:43:02.930194+00:00", "updated": "2026-04-03T09:39:05.787794+00:00", "vendors": ["drupal", "drupal$PRODUCT$login_disable"]}