Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN126 _____________________________________________________________________ DATE : 05/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Login Disable for Drupal versions prior to 2.1.3. ===================================================================== https://www.drupal.org/sa-contrib-2026-008 _____________________________________________________________________ Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008 Project: Login Disable Date: 2026-February-04 Security risk: Less critical 8 ∕ 25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All Vulnerability: Access bypass Affected versions: <2.1.3 CVE IDs: CVE-2026-1917 Description: The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. ( default: http://example.com/user/login?admin ) If they provide the access key and have a specific role they can log in. The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key. Solution: Install the latest version: If you use the Login Disable module, upgrade to Login Disable 2.1.3 Reported By: Pierre Rudloff (prudloff) provisional member of the Drupal Security Team Fixed By: Boris Doesborg (batigolix) Pierre Rudloff (prudloff) provisional member of the Drupal Security Team Coordinated By: Greg Knaddison (greggles) of the Drupal Security Team Juraj Nemec (poker10) of the Drupal Security Team Pierre Rudloff (prudloff) provisional member of the Drupal Security Team ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================