Vulnerability from drupal
Published
2026-02-04 17:23
Modified
2026-02-04 17:23
Summary
Details

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.

The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.

Credits
Pierre Rudloff (prudloff) www.drupal.org/u/prudloff
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c2.1.3"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/login_disable"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c2.1.3"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2026-1917"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/prudloff"
      ],
      "name": "Pierre Rudloff (prudloff)"
    }
  ],
  "details": "The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.  \n( default: \u003chttp://example.com/user/login?admin\u003e )  \nIf they provide the access key and have a specific role they can log in.\n\nThe module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.",
  "id": "DRUPAL-CONTRIB-2026-008",
  "modified": "2026-02-04T17:23:40.000Z",
  "published": "2026-02-04T17:23:40.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-008"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.