Login Disable - Less Critical - Access Bypass

Project

Date

April 15, 2026

Severity

Less Critical

Risk Score

8/25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

Vulnerability

Access Bypass

Affected versions

<7.x-1.3

Description

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. If they provide the access key and have a specific role they can log in.

The module doesn't check for the access key when using the HTTP request login route, allowing users to bypass the access key requirement through non-form login methods like Services or RESTful APIs.

This vulnerability is mitigated by the requirement for valid user credentials and the fact that it only affects sites using the login disable functionality with access keys configured.

Solution

Install the latest version.

If you use the Login Disable module for Drupal 7, upgrade to Login Disable 7.x-1.3:

Reported by

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed by

Boris Doesborg (batigolix)
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Ra Mänd (ram4nd)
Tag1 D7ES

Coordinated by

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Tag1 D7ES