OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Project:

Date:

2025-February-26

Security risk:

Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

Affected versions:

<2.1.0

CVE IDs:

CVE-2025-31691

Description:

Provides OAuth2 server functionality based on the oauth2-server-php library.

The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate.

Solution:

Install the latest version:

If you use the OAuth2 server module for Drupal 2.x, upgrade to OAuth2 server 2.1.0

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.