Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-5343

Summary
Assigner-drupal
Assigner Org ID-2c85b837-eb8b-40ed-9d74-228c62987387
Published At-28 May, 2026 | 22:48
Updated At-29 May, 2026 | 18:38
Rejected At-
Credits

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:drupal
Assigner Org ID:2c85b837-eb8b-40ed-9d74-228c62987387
Published At:28 May, 2026 | 22:48
Updated At:29 May, 2026 | 18:38
Rejected At:
â–¼CVE Numbering Authority (CNA)
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.

Affected Products
Vendor
The Drupal AssociationDrupal
Product
SAML SSO - Service Provider
Collection URL
https://www.drupal.org/project/miniorange_saml
Repo
https://git.drupalcode.org/project/miniorange_saml
Default Status
unaffected
Versions
Affected
  • From 0.0.0 before 3.1.4 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-754CWE-754 Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-754
Description: CWE-754 Improper Check for Unusual or Exceptional Conditions
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-233CAPEC-233 Privilege Escalation
CAPEC ID: CAPEC-233
Description: CAPEC-233 Privilege Escalation
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Tim de Jong | Freelance Drupal Developer (tim_dj)
remediation developer
Sudhanshu Dhage (sudhanshu0542)
coordinator
Damien McKenna (damienmckenna)
coordinator
Greg Knaddison (greggles)
coordinator
Juraj Nemec (poker10)
coordinator
Jess (xjm)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.drupal.org/sa-contrib-2026-031
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2026-031
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mlhess@drupal.org
Published At:28 May, 2026 | 23:16
Updated At:29 May, 2026 | 20:16

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-754Secondarymlhess@drupal.org
CWE ID: CWE-754
Type: Secondary
Source: mlhess@drupal.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.drupal.org/sa-contrib-2026-031mlhess@drupal.org
N/A
Hyperlink: https://www.drupal.org/sa-contrib-2026-031
Source: mlhess@drupal.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2025-47710
Matching Score-8
Assigner-Drupal.org
ShareView Details
Matching Score-8
Assigner-Drupal.org
CVSS Score-7.4||HIGH
EPSS-0.15% / 35.08%
||
7 Day CHG~0.00%
Published-14 May, 2025 | 17:03
Updated-10 Jun, 2025 | 15:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.7.0, from 5.0.0 before 5.2.0.

Action-Not Available
Vendor-miniorangeThe Drupal Association
Product-miniorange_2faEnterprise MFA - TFA for Drupal
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2026-8491
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-3.7||LOW
EPSS-0.04% / 11.35%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:28
Updated-27 May, 2026 | 15:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-adcisolutionsThe Drupal Association
Product-node_view_permissionsNode View Permissions
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-14840
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.08% / 23.95%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 20:03
Updated-06 Feb, 2026 | 18:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing.This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1.

Action-Not Available
Vendor-bmemeThe Drupal Association
Product-http_client_managerHTTP Client Manager
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2025-13080
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 26.04%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 16:54
Updated-24 Nov, 2025 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2026-0944
Matching Score-6
Assigner-Drupal.org
ShareView Details
Matching Score-6
Assigner-Drupal.org
CVSS Score-5.3||MEDIUM
EPSS-0.05% / 16.83%
||
7 Day CHG+0.01%
Published-04 Feb, 2026 | 20:25
Updated-11 Feb, 2026 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4.

Action-Not Available
Vendor-metadropThe Drupal Association
Product-group_inviteGroup invite
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CVE-2026-42246
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.02% / 3.73%
||
7 Day CHG~0.00%
Published-09 May, 2026 | 19:33
Updated-18 May, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
net-imap vulnerable to STARTTLS stripping via invalid response timing

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.

Action-Not Available
Vendor-Ruby
Product-net\net-imap
CWE ID-CWE-392
Missing Report of Error Condition
CWE ID-CWE-393
Return of Wrong Status Code
CWE ID-CWE-636
Not Failing Securely ('Failing Open')
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CWE ID-CWE-841
Improper Enforcement of Behavioral Workflow
Details not found