Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

Vulnerability

Overview

The Email TFA module for Drupal provides email-based two-factor authentication (2FA) for user logins. However, in certain login scenarios, the module's protection is incomplete, allowing authentication bypass via an alternate path or channel (CWE-288). The root cause is that the module does not enforce the second factor on all possible entry points, leaving some login mechanisms unprotected [1][2].

Exploitation

Prerequisites

This vulnerability is mitigated by the fact that an attacker must already possess valid username and password credentials for the target Drupal site. The attacker can then authenticate through a login path that the module does not cover, thereby gaining access without providing the one-time code sent via email [2].

Impact

A successful bypass lets the attacker log into the victim's account without completing the second factor (email TFA). This effectively nullifies the additional security layer that the module was designed to provide, granting the attacker full access to the user's account and any associated privileges on the Drupal site. The impact is limited by the prerequisite of stolen or guessed credentials [1][2].

Mitigation

The maintainers have released version 2.0.6 of the Email TFA module which fixes the vulnerability. Users are advised to upgrade to Email TFA 2.0.6 immediately. No workarounds are currently documented [1][2].