SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Description

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Solution

Install the latest version.

If you use the SAML SSO - Service Provider module for Drupal 7, upgrade to miniorange_saml 7.x-2.74:

• miniorange_saml 7.x-2.74.tar.gz
• miniorange_saml 7.x-2.74.zip

Reported by

• Tim de Jong | Freelance Drupal Developer (tim_dj)

Fixed by

• Sudhanshu Dhage (sudhanshu0542)
• Tag1 D7ES

Coordinated by

• Damien McKenna (damienmckenna) of the Drupal Security Team
• Greg Knaddison (greggles) of the Drupal Security Team
• Juraj Nemec (poker10) of the Drupal Security Team
• Jess (xjm) of the Drupal Security Team
• Tag1 D7ES