AIKIDO-2025-10561
drupal/alogin is vulnerable to Authentication Bypass Using an Alternate Path or Channel
98
Critical Risk
This Affects:
drupal/aloginTL;DR
Affected versions of this package are vulnerable to a Highly Critical Authentication Bypass vulnerability, where insufficient validation in AJAX callback handlers allows attackers to log in as any known user account without valid credentials. By sending a carefully crafted series of requests (as few as five by default) to trigger specific unvalidated authentication conditions, an attacker can completely bypass two-factor authentication protections. While the required request sequence might alert vigilant site monitors, the low threshold of requests, combined with predictable usernames, enables practical exploitation with a minimal forensic footprint.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
drupal/alogin is vulnerable to Authentication Bypass Using an Alternate Path or Channel in versions 0.0.0 - 2.1.4.
How to fix this
Upgrade the drupal/alogin library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant