CVE-2026-6816
Description
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Users with the administer users permission in Drupal TFA Basic Plugins 7.x-1.0 to 7.x-1.2 can view or generate recovery codes for other users.
Vulnerability
An access bypass vulnerability exists in the Drupal TFA Basic Plugins module for Drupal 7, affecting versions 7.x-1.0 through 7.x-1.2 [1][2]. The module does not sufficiently restrict access to sensitive TFA setup and recovery routes, allowing users who hold the "administer users" permission to reach endpoints such as /user/{uid}/security/tfa/app-setup, /recovery-codes, and /recovery-codes-list for other users [1]. This is a broken access control flaw in the TFA setup and recovery code management flows [1].
Exploitation
An attacker must have a Drupal role that includes the "administer users" permission [2]. The attacker can then make cross-account requests to the affected routes, targeting any other user's TFA enrollment or recovery code pages [1]. No additional authentication or user interaction is required beyond the attacker having the necessary permission [1].
Impact
A privileged user can modify another user's two-factor authentication (TFA) enrollment or recovery state, including viewing or generating recovery codes for other users [1][2]. This undermines the security of the second authentication factor, potentially allowing the privileged user to bypass TFA protections for other accounts [1]. The scope of compromise is at the level of the targeted user's account security, potentially leading to further unauthorized access [1].
Mitigation
The fix is included in TFA Basic Plugins NES version 7.x-1.3, released on an unspecified date [1][2]. Users are advised to upgrade to tfa_basic 7.x-1.3 immediately [2]. No workarounds are documented if upgrading is not possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=7.x-1.0, <=7.x-1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Overly broad route access checks in TFA Basic Plugins allowed users with the "administer users" permission to access another user's TFA setup and recovery pages."
Attack vector
An attacker who has the "administer users" permission (User A) can access another user's (User B's) TFA setup and recovery pages by navigating to `user/[uid for User B]/security/tfa/app-setup`, `user/[uid for User B]/security/tfa/recovery-codes`, or `user/[uid for User B]/security/tfa/recovery-codes-list` [ref_id=1]. The attacker is prompted for their own password (not the target's), and upon entering it, the page returns a 200 status and reveals the target user's TOTP seed/QR code or recovery codes [ref_id=1]. This breaks the intended per-user isolation for authentication factors, allowing a privileged user to effectively bypass the target's second-factor security [ref_id=1].
Affected code
The vulnerability resides in the TFA Basic Plugins module for Drupal 7, specifically in the route access logic for the paths `/user/{uid}/security/tfa/app-setup`, `/user/{uid}/security/tfa/recovery-codes`, and `/user/{uid}/security/tfa/recovery-codes-list` [ref_id=1]. The access check function (referred to as `tfa_basic_setup_access` in the advisory) used overly broad permission checks that allowed users with the "administer users" permission to act on another user's TFA setup flows [ref_id=1].
What the fix does
The fix was released in TFA Basic NES version 7.1.3 [ref_id=1]. The patch restricts setup and recovery actions to the account owner and limits admin access to intended admin paths only [ref_id=1]. Specifically, the `tfa_basic_setup_access` function was updated to strictly enforce that only the account owner (or a system-level bypass) can view the secret-bearing pages, causing the previously accessible routes to now return a 403 Access Denied status for unauthorized users [ref_id=1].
Preconditions
- authAttacker must have the 'administer users' permission assigned to their Drupal role.
- configTarget user must have TFA set up with active secrets (TOTP seed and/or recovery codes).
- inputAttacker must know the target user's UID to construct the URL paths.
- networkAttacker must be able to reach the Drupal site's web interface over HTTP/HTTPS.
Reproduction
1. Install Drupal 7 with TFA Basic module version 7.1.0 through 7.1.2 and its TFA dependency. 2. Enable TFA and TFA Basic modules. 3. Clone the QR code library: `cd sites/all/modules/contrib/tfa_basic/includes/ && git clone https://github.com/davidshimjs/qrcodejs.git`. 4. Go to `admin/config/people/tfa`, enable TFA, set default validation plugin to TOTP (TFA Basic), and enable Recovery codes as a fallback. 5. Create User A with "administer users" permission and User B with a role that grants "Set up TFA for account" but not "Administer users". Record User B's UID. 6. Log in as User B, navigate to `user/[uid for User B]/security/tfa/app-setup`, complete TOTP setup. 7. Log in as User A and navigate to `user/[uid for user B]/security/tfa/app-setup`, `user/[uid for user B]/security/tfa/recovery-codes`, and `user/[uid for user B]/security/tfa/recovery-codes-list`. Enter User A's own password when prompted. 8. Observe that User A receives a 200 response and can view User B's TOTP seed/QR code or recovery codes [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.