CVE-2026-3530

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The module does not sufficiently validate certain fields received from the configured identity provider during first-time sign-in and account provisioning. A malicious or compromised identity provider can abuse those fields to trigger server-side requests to unintended destinations and disclose sensitive information.

Information exposure, often referred to as information disclosure or sensitive data exposure, is a high-severity vulnerability where applications inadvertently reveal confidential or useful details to unauthorized parties due to inadequate protections, such as weak cryptography, misconfigurations, or flawed access controls. According to OWASP, this can stem from transmitting data in clear text, using outdated cryptographic algorithms, improper key management, or failing to sanitize error messages and responses, allowing attackers to intercept, infer, or directly access information like configurations, server details, user credentials, or API keys. It aligns with OWASP Top 10 categories including A01:2021 – Broken Access Control (ranked first) and A05:2021 – Security Misconfiguration (ranked fifth), as well as evolving from the 2017 A3: Sensitive Data Exposure, now encompassed in A02:2021 – Cryptographic Failures (ranked second). Attackers exploit this through techniques like network sniffing, analyzing error outputs, or leveraging misconfigured endpoints, potentially leading to escalated attacks.

• Ramifications include:
• Data breaches
• Identity theft
• Financial losses
• Further exploits
• Legal penalties, and
• Reputational damage.

This issue affects OpenID Connect versions 7.1.0 through 7.1.3.

‍

Details

Module Info

• Product: Drupal 7
• Affected package: OpenID Connect
• Affected versions: >=7.1.0 <= 7.1.3
• Repository: https://git.drupalcode.org/project/openid_connect
• Project Page: https://www.drupal.org/project/openid_connect
• Package manager: Composer
• Fixed in: OpenID Connect NES 7.1.4 

Vulnerability Info

This medium-severity vulnerability affects OpenID Connect versions 7.1.0 through 7.1.3 for Drupal 7.

When OpenID Connect login completes, the module retrieves provider-supplied user info and, if user pictures are enabled, passes $userinfo['picture'] into openid_connect_save_user_picture(). Before the fix, that function fetched the URL server-side with insufficient validation.

This means the vulnerable behavior is:

• OpenID Connect authentication or account connection completes successfully
• Drupal user pictures are enabled
• openid_connect_user_pictures is enabled
• the identity provider returns an attacker-controlled picture value
• the module fetches that URL server-side without sufficient validation

Under those conditions, a malicious or compromised identity provider can cause the Drupal server to request unintended resources, including non-HTTP(S) targets such as file://, and can expose non-image or sensitive response data through the picture-fetch path. The fix restricts schemes to HTTP and HTTPS, adds fetch and size checks, requires an image content type, and verifies that the downloaded body is a valid image before saving it.

‍

Steps To Reproduce

1. Create a Drupal 7 installation and install a vulnerable version of the OpenID Connect module, such as 7.1.3. 
2. Enable the OpenID Connect module.
3. Enable Drupal user pictures. In Drupal admin:

• Go to admin/config/people/accounts
• Enable user pictures
• Save configuration

4. Configure OpenID Connect at /admin/config/services/openid-connect.
   On that form:

• Enable the desired OpenID Connect client
• Enable Fetch user profile picture from login provider
• Save configuration

5. Start the login flow

• Log out of Drupal
• Visit any page where the OpenID Connect login option is visible
• Start login with the configured provider
• Authenticate using a test identity whose provider profile returns an unsafe picture URL, such as a non-HTTP(S) URL or another unexpected resource location

Expected result with the patch

• Login or account creation can still succeed
• Drupal returns the user to the page where the login flow was started
• The unsafe picture URL is not fetched
• The picture is skipped
• A warning is logged indicating the picture URL was rejected

6. Verify the result. If a new user was created, confirm the account exists:

ddev drush sqlq "SELECT uid, name, mail, status, created FROM users ORDER BY uid DESC LIMIT 5;"

‍

Check recent watchdog entries:

ddev drush ws --count=20

Expect a watchdog warning indicating that the picture URL was invalid or unsafe.

7. Before patch:

• the module may accept a provider-supplied unsafe picture URL
• the unsafe URL can reach the server-side fetch path.

After patch:

• the unsafe URL is rejected before fetch
• a watchdog warning is logged
• login can still proceed, but the picture is not saved.

‍

Addressing the Issue

Users of the affected module should apply one of the following mitigations:

• Disable provider-supplied profile picture fetching in OpenID Connect configuration.
• Avoid custom integrations that use provider-controlled URL fields (especially the picture field).
• Limit use of this module to trusted identity providers under your control.
• Restrict who can configure or modify OpenID Connect client settings and provider integrations.
• Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

‍

Credits

• Drew Webber (mcdruid)