CVE-2026-3530 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Drupal OpenID Connect / OAuth client module, affecting versions prior to 1.5.0. SSRF vulnerabilities allow attackers to abuse a vulnerable server to send crafted HTTP requests to arbitrary domains, including internal network resources that are otherwise inaccessible externally. In this case, the vulnerability arises from insufficient validation or sanitization of URLs or endpoints used by the OpenID Connect / OAuth client during authentication or token exchange processes. An attacker can exploit this flaw by triggering the vulnerable module to make requests to attacker-controlled or internal addresses, potentially accessing sensitive internal services, metadata endpoints, or other protected resources. This can lead to information disclosure, internal network scanning, or further attacks leveraging internal trust boundaries. The vulnerability does not require user interaction but does require the presence and use of the vulnerable module. No CVSS score has been assigned yet, and no public exploits have been reported. The module is widely used in Drupal deployments that integrate OAuth or OpenID Connect authentication, making this a significant concern for organizations relying on Drupal for identity federation or single sign-on capabilities.

The impact of CVE-2026-3530 can be significant for organizations using Drupal with the vulnerable OpenID Connect / OAuth client module. SSRF can allow attackers to bypass network access controls, reach internal services, and extract sensitive information such as internal IP addresses, metadata, or credentials stored in internal endpoints. This can lead to further compromise, lateral movement, or data breaches. Confidentiality is primarily at risk due to unauthorized data access, while integrity could be affected if internal services are manipulated via the SSRF. Availability impact is generally lower but could occur if internal services are overwhelmed or manipulated. Organizations with complex internal networks, cloud metadata services, or sensitive internal APIs are particularly vulnerable. Since the vulnerability affects authentication components, exploitation could undermine trust in identity and access management, potentially facilitating privilege escalation or unauthorized access. The lack of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

To mitigate CVE-2026-3530, organizations should upgrade the Drupal OpenID Connect / OAuth client module to version 1.5.0 or later as soon as the patch is released. Until then, administrators should consider disabling the module if not essential or restricting its usage to trusted environments. Implement strict input validation and sanitization on all URLs or endpoints processed by the module to prevent malicious request redirection. Network-level controls such as firewall rules or egress filtering should be applied to restrict the server's ability to make arbitrary outbound HTTP requests, especially to internal IP ranges or sensitive services. Monitoring and logging of outbound requests from the Drupal server can help detect suspicious SSRF attempts. Additionally, review and harden internal services to require authentication and limit exposure to SSRF-originated requests. Security teams should stay alert for any emerging exploit code or attack campaigns targeting this vulnerability and respond accordingly.