OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Vulnerability

Overview

CVE-2025-31691 is a missing authorization vulnerability in the Drupal OAuth2 Server module, affecting versions before 2.1.0. The module fails to consistently enforce admin configurations, allowing users to access OAuth2 endpoints even when the server has been administratively disabled [1][2]. This constitutes a forceful browsing issue.

Exploitation

An attacker with network access to a Drupal site running the vulnerable module can exploit this flaw without authentication. By directly accessing OAuth2 endpoints, the attacker can bypass the server's disabled state and authenticate via OAuth2, gaining tokens and potentially accessing protected resources [2].

Impact

Successful exploitation results in unauthorized OAuth2 authentication, allowing an attacker to impersonate legitimate users, access private data, or perform actions on behalf of authenticated users. The CVSS severity is moderate, but the access bypass can lead to significant privilege escalation if the OAuth2 server is integrated with other systems.

Mitigation

The vulnerability is fixed in version 2.1.0 of the OAuth2 Server module. Users are strongly advised to upgrade immediately [2]. No workarounds are currently available.