Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

Vulnerability

Overview

CVE-2025-10928 is an improper restriction of excessive authentication attempts vulnerability in the Drupal Access code module (versions before 2.0.5). The module allows users to allow users to sign in with an access code instead of a username/password combination. The module fails to limit the number of failed authentication attempts, enabling an attacker to perform brute-force attacks against access codes [1][2].

Exploitation

An attacker must have a role with the 'change own access code' permission to exploit this vulnerability. When users are allowed to pick their own access codes, the system warns if a chosen code is already taken, which can be used to enumerate valid codes. The lack of rate limiting on authentication attempts allows the attacker to systematically guess access codes without being blocked [2].

Impact

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to another user's account by guessing their access code. This can lead to privilege escalation or data exposure depending on the compromised user's permissions [1][2].

Mitigation

The vulnerability is fixed in version 2.0.5 of the access_code module. Users are advised to upgrade immediately. No workar to this version. No workarounds are mentioned in the advisory [2].