CVE-2026-1917
EPSS 0.20%
Description
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. ( default: <http://example.com/user/login?admin> ) If they provide the access key and have a specific role they can log in. The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.
How to fix CVE-2026-1917
To remediate CVE-2026-1917, upgrade the affected package to a fixed version below.
- Packagist/drupal/login_disable—upgrade to 2.1.3 or later
Is CVE-2026-1917 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.1.3