HarborGuard / CVE
Back to search
HIGHCVE-2026-5343Published Modified CNA drupal

CVE-2026-5343: SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass in the Drupal SAML SSO - Service Provider module lets an unauthenticated attacker escalate privileges by exploiting improper handling of unusual SAML response conditions. The flaw is reachable over the network without any credentials or victim interaction, and successful exploitation yields full read and write access to the targeted Drupal site under another user's identity. A patched-image rebuild at version 3.1.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Drupal security advisories within minutes of publication and matched against container images in customer registries and CI pipelines, including custom-built images that bundle the SAML SSO - Service Provider module.

Available
Triage

Triage is available with the published CVSS v3.1 score of 7.4 (High) weighted against each customer's compliance policy, so SAML-fronted or SSO-critical workloads can be escalated above the default High routing. Findings are delivered to the security inbox configured for the owning team inside each customer org.

Available
Patch

A patched-image rebuild at SAML SSO - Service Provider 3.1.4 is available on HarborGuard for affected environments. Customers with auto-remediation enabled get the rebuilt image, an automated regression-test run, and a pull request opened against every workload still pinned to a vulnerable version.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Drupal site's SAML endpoints over the network.

  • AuthenticationNot required

    No credentials are needed; the bypass is exploitable by an unauthenticated attacker.

  • Victim interactionNot required

    No user has to click a link or take any action for the attack to succeed.

  • Attack complexityDetail

    AC:H indicates the exploit depends on specific SAML response conditions or timing that the attacker cannot fully control.

Blast Radius

  • Authenticates to the Drupal site as another user, including potentially administrative accounts, bypassing SAML identity checks.
  • Reads any content and user data accessible to the impersonated account, including private nodes and stored profile fields.
  • Modifies site content, user records, and configuration to the extent permitted by the impersonated account's role.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt image pinning SAML SSO - Service Provider to 3.1.4, with regression tests executed automatically and a patch PR opened against every affected workload for customers who opt into auto-remediation. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in auto-remediation environments; environments on manual remediation get the same rebuilt image and PR draft surfaced in their security inbox, with the option to gate the SAML login flow behind a network policy or feature flag until the patch lands.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
3.1.4
Affected Products
1

Fix available

3.1.4
Affected packages
  • Drupal / SAML SSO - Service Provider
    < 3.1.4 (from 0.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References