AIKIDO-2026-10365
drupal/openid_connect is vulnerable to Server-Side Request Forgery (SSRF)
60
Medium Risk
This Affects:
drupal/openid_connectTL;DR
Affected versions of this package are affected by a server-side request forgery (SSRF) vulnerability due to insufficient validation of certain fields received from the configured identity provider. Because these fields may be processed without proper restrictions, a malicious actor controlling or compromising data at the identity provider could cause the application to perform unintended requests to internal or external resources, potentially leading to information disclosure. Exploitation requires the attacker to have the ability to supply manipulated data through the identity provider and depends on specific field mappings being configured.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
drupal/openid_connect is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.0.0 - 1.4.0.
How to fix this
Upgrade the drupal/openid_connect library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant