Vulnerability from drupal
Published
2026-07-08 17:12
Modified
2026-07-08 17:12
Summary
Details
The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page.
The module doesn't sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an attacker to use a brute force attack to bypass the protection provided by this module. The security fix blocks these attempts with flood control.
This vulnerability is mitigated by the fact that an attacker must obtain a valid username & password.
Credits
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c2.1.4"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/login_disable"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c2.1.4"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [
"CVE-2026-15079"
],
"credits": [
{
"contact": [
"https://www.drupal.org/u/prudloff"
],
"name": "Pierre Rudloff (prudloff)"
}
],
"details": "The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page.\n\nThe module doesn\u0027t sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an attacker to use a brute force attack to bypass the protection provided by this module. The security fix blocks these attempts with flood control.\n\nThis vulnerability is mitigated by the fact that an attacker must obtain a valid username \u0026 password.",
"id": "DRUPAL-CONTRIB-2026-070",
"modified": "2026-07-08T17:12:32.000Z",
"published": "2026-07-08T17:12:32.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-070"
}
],
"schema_version": "1.7.0"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…