Intel

AIKIDO-2026-709394

drupal/salesforce is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF)CVE-2026-13243 Published Jun 25, 2026

58

Medium Risk

This Affects:

PHPdrupal/salesforce
0.0.1 - 5.1.2
Fixed in 5.1.3
Are you affected? Scan for Free

TL;DR

The Salesforce Suite modules for Drupal do not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization process and bind a site to an attacker-controlled Salesforce account. This issue only affects sites using the deprecated salesforce_oauth submodule with an active OAuth authorization profile. Sites that use only salesforce_jwt for authentication are not affected.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/salesforce is vulnerable to Cross-Site Request Forgery (CSRF) in versions 0.0.1 - 5.1.2.

How to fix this

Upgrade the drupal/salesforce library to the patch version.