CVE-2025-13986 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2025-13986?

CVE-2025-13986 has a CVSS score of 4.2 (MEDIUM). This vulnerability allows attackers to bypass authentication in Drupal sites using the Disable Login Page module by exploiting an alternate path or channel. It affects all Drupal sites running vulnerable versions of the Disable Login Page module. Attackers could gain unauthorized access to administrative functions or protected content.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Drupal sites using the Disable Login Page module by exploiting an alternate path or channel. It affects all Drupal sites running vulnerable versions of the Disable Login Page module. Attackers could gain unauthorized access to administrative functions or protected content.

💻 Affected Systems

Products:

Drupal Disable Login Page module

Versions: 0.0.0 through 1.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal sites with the Disable Login Page module installed and enabled.

📦 What is this software?

Disable Login Page by Zyxware

View all CVEs affecting Disable Login Page →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise through administrative access, data theft, content manipulation, or malware injection.

🟠

Likely Case

Unauthorized access to protected content or functionality, potential privilege escalation if combined with other vulnerabilities.

🟢

If Mitigated

Limited impact if strong network controls, monitoring, and principle of least privilege are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-288 vulnerabilities typically involve simple path manipulation or parameter tampering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-124

Restart Required: No

Instructions:

1. Update Disable Login Page module to version 1.1.3 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify module functionality remains intact.

🔧 Temporary Workarounds

Disable vulnerable module

all

Temporarily disable the Disable Login Page module until patching is possible

drush pm:disable disable_login_page

Implement web application firewall rules

all

Block suspicious authentication bypass attempts at the WAF level

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Enable detailed authentication logging and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Drupal's module list for Disable Login Page version 1.1.2 or earlier

Check Version:

drush pm:list | grep disable_login_page

Verify Fix Applied:

Confirm Disable Login Page module version is 1.1.3 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts, access to protected paths without proper authentication, failed login attempts from unexpected sources

Network Indicators:

HTTP requests attempting to bypass authentication endpoints, unusual parameter patterns in authentication requests

SIEM Query:

source="drupal" AND (event_type="authentication" OR event_type="access_denied") AND status="success" FROM unexpected_ip_ranges

📊 Metadata

CVE ID: CVE-2025-13986

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-288

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: January 28, 2026

Last Updated: February 6, 2026

🔗 References

https://www.drupal.org/sa-contrib-2025-124 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13986, you might also want to check these: