Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-December-03
Vulnerability:
Access bypass
Affected versions:
<1.1.3
CVE IDs:
CVE-2025-13986
Description:
This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.
The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.
This vulnerability is mitigated by the fact that an attacker must already possess valid account credentials.
Solution:
Install the latest version:
- If you use the Disable Login Page module, upgrade to Disable Login Page 1.1.3
Reported By:
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Fixed By:
- Anoop John (anoopjohn)
- Jijo Joseph (jijojoseph_zyxware)
- Pierre Rudloff (prudloff) provisional member of the Drupal Security Team
Coordinated By:
- cilefen (cilefen) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
