SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Project:

Date:

2026-April-01

Security risk:

Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Authentication bypass

Affected versions:

<3.1.4

CVE IDs:

CVE-2026-5343

Description:

This module enables you to perform SAML-protocol-based single-sign-on (SSO) on a Drupal site.

The module doesn't sufficiently block access, leading to a authentication bypass vulnerability.

Solution:

Install the latest version:

If you are using the SAML SSO - Service Provider module for Drupal, upgrade to SAML SSO - Service Provider 3.1.4.

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.