Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-April-02
Security risk:
Vulnerability:
Access bypass
Affected versions:
<2.0.4
CVE IDs:
CVE-2025-3129
Description:
This module enables users to log in using a short access code instead of providing a username/password combination.
The module doesn't sufficiently protect against brute force attacks to guess a user's access code.
This vulnerability is mitigated by the fact that access code based logins are off by default and only enabled for accounts that enable it. Sites could mitigate the issue without updating by:
- disabling the access code login method for critical accounts
- monitor and prevent brute force attacks in other ways (for example, with a Web Application Firewall)
Solution:
Install the latest version:
- If you use the access_code module for Drupal 8.x or later, upgrade to access_code 2.0.4
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
