Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

Project:

Email TFA

Date:

2025-November-05

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<2.0.6

CVE IDs:

CVE-2025-12760

Description:

The Email TFA module provides additional email-based two-factor authentication for Drupal logins.

In certain scenarios, the module does not fully protect all login mechanisms as expected.

This issue is mitigated by the fact that an attacker must already have valid user credentials (username and password) to take advantage of the weakness.

Solution:

Install the latest version:

If you use the Email TFA module for Drupal, upgrade to Email TFA 2.0.6

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

abdulaziz zaid

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Pierre Rudloff (prudloff)

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community