Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114
Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass.This issue affects Simple OAuth (OAuth2) & OpenID Connect: from 6.0.0 before 6.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal Simple OAuth module fails to enforce OAuth scopes on role-based access checks, allowing authentication bypass with a valid access token.
Analysis
The vulnerability in the Drupal Simple OAuth (OAuth2) & OpenID Connect module (versions 6.0.0 to before 6.0.7) stems from insufficient scope enforcement when checking role-based access [1][2]. The module does not properly respect granted scopes, allowing access tokens to bypass _role requirements on routes.
Exploitation
An attacker must possess a valid access token belonging to a user who has the roles required for the target route [2]. With such a token, they can access restricted endpoints even though the token's scopes should limit those actions. The attack does not require additional authentication or network position beyond having the token.
Impact
Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to functionality protected by role-based permissions, potentially leading to privilege escalation or data exposure.
Mitigation
The issue is fixed in version 6.0.7 [2]. Users are advised to update immediately. No workaround is documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/simple_oauthPackagist | >= 6.0.0, < 6.0.7 | 6.0.7 |
Affected products
2- Range: >=6.0.0, <6.0.7
- Drupal/Simple OAuth (OAuth2) & OpenID Connectv5Range: 6.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jqmq-fpwv-p925ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-12466ghsaADVISORY
- www.drupal.org/sa-contrib-2025-114ghsaWEB
News mentions
0No linked articles in our index yet.