By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-1917

Authorization Bypass
Affects
Login Disable
in
Drupal 7
No items found.
Versions
>=7.1.0 <=7.1.2
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

A non-form login endpoint in Drupal 7 contrib could bypass the login form entirely, complete login through Drupal's normal login finalization flow, and avoid the module's access-key check. This is an access control bypass. It allows a user with the bypass permission to log in through a non-form route without supplying the secret URL key that the module is supposed to require during login lockdown.

An authorization control bypass vulnerability occurs when a system fails to properly enforce access controls, allowing an attacker to access resources or perform actions they should not be allowed to access. This can happen due to flaws in the design or implementation of the authentication or authorization mechanisms.

This issue affects all versions of Login Disable from 7.1.0 through 7.1.2.

Details

Module Info

Vulnerability Info

This low-severity vulnerability affects all versions of the Login Disable module for Drupal 7.

When the module is active, the normal login form is protected by login_disable_form_user_login_alter(). However, before the fix, login_disable_user_login() did not enforce the configured access key. As a result, a non-form login route could skip the form-level protection and still complete login.

In Drupal 7, the logical generic enforcement point is hook_user_login(), because Drupal 7 does not have the modern core HTTP login route that newer Drupal versions protect directly.

This means the vulnerable behavior is:

  • login disable is active
  • a user has the `bypass disabled login` permission
  • login happens through a non-form route
  • the route completes login without the required access key in the query string

Under those conditions, the module fails to enforce its intended access-key restriction.

Addressing the Issue

Users of the affected module should apply one of the following mitigations:

  • If an immediate upgrade is not possible, reduce exposure by limiting or disabling non-form login endpoints that may authenticate users while Login Disable is active.
  • Put HTTP auth, IP allowlisting, VPN, or reverse-proxy restrictions in front of the site during lockdown.
  • Ensure only tightly controlled roles have bypass disabled login.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2026-0749
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
CVE-2025-13083
CVE-2026-1917
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-1917
PROJECT Affected
Login Disable
Versions Affected
>=7.1.0 <=7.1.2
NES Versions Affected
Published date
March 19, 2026
≈ Fix date
March 19, 2026
Fixed in
NES for Drupal 7
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.