CVE-2026-3530 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Drupal OpenID Connect / OAuth client module in versions prior to 1.5.0. SSRF vulnerabilities allow an attacker to induce the server to send crafted requests to internal or external systems, potentially bypassing network restrictions. The vulnerability requires low privileges and no user interaction. The CVSS 3.1 base score is 4.3, reflecting a network attack vector, low attack complexity, and limited confidentiality impact without affecting integrity or availability.

The vulnerability could allow an attacker with low privileges to make the server perform unintended requests, potentially exposing internal resources or services. The impact is limited to confidentiality loss, with no direct impact on integrity or availability reported. There are no known active exploits targeting this vulnerability currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor Drupal's official security advisories for updates. Until a fix is available, consider restricting access to the affected module or limiting network access from the server to sensitive internal resources to reduce potential exploitation risk.