Vulnerability from drupal
Published
2026-06-24 18:48
Modified
2026-06-24 18:48
Summary
Details

The Salesforce Suite of modules integrates Drupal with Salesforce.

The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account.

This vulnerability is mitigated by the fact that salesforce_oauth submodule must be enabled, and a salesforce_oauth authorization profile active and in use. The submodule salesforce_oauth is deprecated, and salesforce_jwt has been the recommended authentication plugin for several years. Sites with salesforce_oauth uninstalled, or sites relying exclusively on salesforce_jwt (JWT or JWT Gov Cloud) for authentication are not impacted.

Submodule salesforce_oauth has been removed in branch 6.0.x, so >= 6.0.x versions are not affected by this vulnerability.

Credits
Muhammedali Aliyev (swordmein) www.drupal.org/u/swordmein

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c5.1.3"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/salesforce"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c5.1.3"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2026-13243"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/swordmein"
      ],
      "name": "Muhammedali Aliyev (swordmein)"
    }
  ],
  "details": "The Salesforce Suite of modules integrates Drupal with Salesforce.\n\nThe Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker\u0027s Salesforce account.\n\nThis vulnerability is mitigated by the fact that `salesforce_oauth` submodule must be enabled, and a `salesforce_oauth` authorization profile active and in use. The submodule `salesforce_oauth` is deprecated, and `salesforce_jwt` has been the recommended authentication plugin for several years. Sites with `salesforce_oauth` uninstalled, or sites relying exclusively on `salesforce_jwt` (JWT or JWT Gov Cloud) for authentication are not impacted.\n\nSubmodule salesforce\\_oauth has been removed in branch 6.0.x, so \u003e= 6.0.x versions are not affected by this vulnerability.",
  "id": "DRUPAL-CONTRIB-2026-063",
  "modified": "2026-06-24T18:48:15.000Z",
  "published": "2026-06-24T18:48:15.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-063"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…