Search criteria
2 vulnerabilities found for TFA Basic Plugins by Drupal
CVE-2026-6816 (GCVE-0-2026-6816)
Vulnerability from nvd – Published: 2026-05-28 22:50 – Updated: 2026-05-29 18:33
VLAI
Title
TFA Basic Plugins - Access Bypass
Summary
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
Severity
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/tfa-bas… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | TFA Basic Plugins |
Affected:
7.x-1.0 , ≤ 7.x-1.2
(custom)
|
Date Public
2025-08-25 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:33:12.747287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:33:20.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa_basic",
"defaultStatus": "unknown",
"product": "TFA Basic Plugins",
"repo": "https://git.drupalcode.org/project/tfa_basic",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.2",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\u003cbr\u003e\u003cp\u003eThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.\u003c/p\u003e"
}
],
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:50:49.419Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "Drupal security advisory SA-CONTRIB-2025-085",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TFA Basic Plugins - Access Bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft record revised for CVE-2026-6816 as a standalone TFA Basic Plugins CVE based on Drupal.org issue #3577095."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6816",
"datePublished": "2026-05-28T22:50:49.419Z",
"dateReserved": "2026-04-21T19:10:28.105Z",
"dateUpdated": "2026-05-29T18:33:20.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6816 (GCVE-0-2026-6816)
Vulnerability from cvelistv5 – Published: 2026-05-28 22:50 – Updated: 2026-05-29 18:33
VLAI
Title
TFA Basic Plugins - Access Bypass
Summary
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.
This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.
Severity
CWE
- CWE-267 - Privilege Defined With Unsafe Actions
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://d7es.tag1.com/security-advisories/tfa-bas… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Drupal | TFA Basic Plugins |
Affected:
7.x-1.0 , ≤ 7.x-1.2
(custom)
|
Date Public
2025-08-25 07:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T18:33:12.747287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:33:20.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816?nes-for-drupal-7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.drupal.org/project/tfa_basic",
"defaultStatus": "unknown",
"product": "TFA Basic Plugins",
"repo": "https://git.drupalcode.org/project/tfa_basic",
"vendor": "Drupal",
"versions": [
{
"lessThanOrEqual": "7.x-1.2",
"status": "affected",
"version": "7.x-1.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-08-25T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\u003cbr\u003e\u003cp\u003eThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.\u003c/p\u003e"
}
],
"value": "An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users.\n\n\nThis issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-267",
"description": "CWE-267 Privilege Defined With Unsafe Actions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:50:49.419Z",
"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"shortName": "drupal"
},
"references": [
{
"name": "Drupal security advisory SA-CONTRIB-2025-085",
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-6816"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TFA Basic Plugins - Access Bypass",
"x_generator": {
"engine": "Vulnogram 0.5.0",
"note": "Draft record revised for CVE-2026-6816 as a standalone TFA Basic Plugins CVE based on Drupal.org issue #3577095."
}
}
},
"cveMetadata": {
"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
"assignerShortName": "drupal",
"cveId": "CVE-2026-6816",
"datePublished": "2026-05-28T22:50:49.419Z",
"dateReserved": "2026-04-21T19:10:28.105Z",
"dateUpdated": "2026-05-29T18:33:20.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}