{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3530", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:58.794Z", "datePublished": "2026-03-26T20:03:39.756Z", "dateUpdated": "2026-03-30T14:54:58.296Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:39.756Z"}, "title": "OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025", "datePublic": "2026-03-04T18:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"vendor": "Drupal", "product": "OpenID Connect / OAuth client", "collectionURL": "https://www.drupal.org/project/openid_connect", "repo": "https://git.drupalcode.org/project/openid_connect", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.<p>This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-025"}], "credits": [{"lang": "en", "value": "Drew Webber (mcdruid)", "type": "finder"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "remediation developer"}, {"lang": "en", "value": "Philip Frilling (pfrilling)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T14:37:28.152591Z", "id": "CVE-2026-3530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:54:58.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T14:37:28.152591Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:37:48.826Z"}}], "cna": {"title": "OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "remediation developer", "value": "Philip Frilling (pfrilling)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/openid_connect", "vendor": "Drupal", "product": "OpenID Connect / OAuth client", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.5.0", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/openid_connect", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T18:00:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-025"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.<p>This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:39.756Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3530", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:54:58.296Z", "dateReserved": "2026-03-04T16:41:58.794Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:03:39.756Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bojanz:openid_connect_\\/_oauth_client:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "4659C484-D955-4875-A0CC-3EF717150D8A", "versionEndExcluding": "8.x-1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Server Side Request Forgery.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en el cliente Drupal OpenID Connect / OAuth permite la falsificaci\u00f3n de petici\u00f3n del lado del servidor. Este problema afecta al cliente OpenID Connect / OAuth: desde 0.0.0 anterior a 1.5.0."}], "id": "CVE-2026-3530", "lastModified": "2026-04-01T16:11:34.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.150", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-025"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "OpenID Connect / OAuth client", "source": "cna", "vendor": "Drupal"}, "product": "openid", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-02T05:24:50.088925+00:00", "value": {"mitigation_remediation": ["Update the OpenID Connect / OAuth client module to version 1.5.0 or later as the vendor recommends", "Confirm that the update has been successfully applied and that the module no longer accepts unvalidated URLs", "If an immediate upgrade is not feasible, limit outbound traffic from the Drupal server to prevent internal request exposure"], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Drupal installations employing the OpenID Connect / OAuth client module are affected when the module version is from the initial release through 1.4.9. Versions 1.5.0 and higher contain the fix and are not impacted by this issue.", "description_and_impact": "An SSRF vulnerability exists within the Drupal OpenID Connect / OAuth client module that allows an attacker to cause the server to make HTTP requests to arbitrary destinations. This flaw can lead to the disclosure of private information, internal network resources, or enable further attacks such as bypassing firewall restrictions. The weakness is identified as CWE\u2011918, which describes server\u2011side request forgery behaviors.", "risk_and_exploitability": "The CVSS score of 4.3 classifies the vulnerability as low severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. It is not present in the CISA KEV catalog. The attack vector is not explicitly stated in the advisory, but it is inferred that an external attacker can trigger the SSRF by supplying a crafted request to the vulnerable module, a typical scenario for SSRF exploits."}}}}, "created": "2026-03-27T08:32:14.543355+00:00", "updated": "2026-04-02T07:56:26.885589+00:00", "vendors": ["drupal", "drupal$PRODUCT$openid"]}