—

DRUPAL-CONTRIB-2026-063

상세

The Salesforce Suite of modules integrates Drupal with Salesforce.

The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account.

This vulnerability is mitigated by the fact that `salesforce_oauth` submodule must be enabled, and a `salesforce_oauth` authorization profile active and in use. The submodule `salesforce_oauth` is deprecated, and `salesforce_jwt` has been the recommended authentication plugin for several years. Sites with `salesforce_oauth` uninstalled, or sites relying exclusively on `salesforce_jwt` (JWT or JWT Gov Cloud) for authentication are not impacted.

Submodule salesforce\_oauth has been removed in branch 6.0.x, so >= 6.0.x versions are not affected by this vulnerability.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist:https://packages.drupal.org/8 / drupal/salesforce

최초 영향 버전: 0 수정 버전: 5.1.3

Upgrade drupal/salesforce to 5.1.3 or newer (ecosystem packagist:https://packages.drupal.org/8).

참고

https://www.drupal.org/sa-contrib-2026-063 [WEB]