CVE-2025-31691 is a critical security vulnerability identified in the Drupal OAuth2 Server module, specifically affecting versions prior to 2.1.0 (notably version 0.0.0). The vulnerability is classified under CWE-862, which corresponds to Missing Authorization. This flaw allows an attacker to perform forceful browsing attacks, meaning unauthorized users can access resources or endpoints that should be protected by authorization controls. The OAuth2 Server module in Drupal is responsible for managing OAuth2 authentication and authorization flows, which are critical for secure API access and delegated authentication. Due to the missing authorization checks, an attacker can bypass access controls without any authentication or user interaction, gaining unauthorized access to sensitive data or functionality. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation over the network without privileges or user interaction. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a high-risk issue that requires immediate attention. The lack of available patches at the time of disclosure further increases the urgency for mitigation and monitoring. Organizations using the Drupal OAuth2 Server module in affected versions are at risk of unauthorized data exposure, privilege escalation, and potential disruption of services relying on OAuth2 authentication mechanisms.

For European organizations, the impact of CVE-2025-31691 can be significant, especially for those relying on Drupal-based web applications and services that utilize the OAuth2 Server module for authentication and authorization. Unauthorized access due to missing authorization checks can lead to exposure of sensitive personal data, intellectual property, or critical business information, violating GDPR and other data protection regulations. This can result in legal penalties, reputational damage, and financial losses. Furthermore, attackers exploiting this vulnerability could manipulate or disrupt authentication flows, potentially leading to service outages or unauthorized actions within affected applications. Sectors such as government, finance, healthcare, and critical infrastructure, which often use Drupal for public-facing portals or internal applications, are particularly at risk. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and rapid compromise. Additionally, the vulnerability could be leveraged as a foothold for further lateral movement within networks, amplifying the overall security risk for European enterprises.

Given the absence of an official patch at the time of disclosure, European organizations should implement immediate compensating controls to mitigate the risk: 1) Restrict access to the OAuth2 Server endpoints by implementing network-level controls such as IP whitelisting or VPN-only access to reduce exposure to untrusted networks. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block forceful browsing attempts targeting OAuth2 Server endpoints. 3) Conduct thorough access reviews and tighten permissions on OAuth2 Server configurations to minimize unnecessary exposure. 4) Monitor logs for unusual access patterns or repeated unauthorized requests to OAuth2 Server resources, enabling early detection of exploitation attempts. 5) Where feasible, temporarily disable or replace the OAuth2 Server module with alternative, secure authentication mechanisms until an official patch is released. 6) Stay updated with Drupal security advisories and apply patches promptly once available. 7) Educate development and operations teams about the vulnerability to ensure awareness and prompt response. These targeted actions go beyond generic advice by focusing on immediate risk reduction tailored to the OAuth2 Server context and the nature of the missing authorization flaw.