—

CVE-2026-6816EXPLOITED

drupal · tfa basic plugins

TFA Basic Plugins - Access Bypass

Description

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.

Affected Products

Vendor	Product	Versions
drupal	tfa basic plugins	7.x-1.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	drupal	cert_advisory	90%

References

https://www.herodevs.com/vulnerability-directory/cve-2026-6816(third-party-advisory)
https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085(third-party-advisory)

Related News (2 articles)

Tier C

VulDB20d ago

CVE-2026-6816 | TFA Basic Plugin up to 7.x-1.2 on Drupal privilege defined with unsafe actions

→ No new info (linked only)

Tier B

BSI Advisories20d ago

[UPDATE] [hoch] Drupal: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-267

PublishedMay 28, 2026

Last enriched20d agov2

Trending Score3

Source articles2

Independent2

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALPRE-CVE

Multiple vulnerabilities in Drupal core and contributed modules

Trending: 30

CRITICALCVE-2026-9082EXPKEV

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Trending: 14

CRITICALPRE-CVEEXP

Multiple Vulnerabilities in Various Drupal Extensions

Trending: 7

CRITICALPRE-CVE

Critical Arbitrary PHP Code Execution in Drupal AlternativeCommerce (Basket)

Trending: 3

CRITICALCVE-2026-8495

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

Trending: 3

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 28, 2026

Discovered by ZDM

May 28, 2026

Updated: description, severity, activelyExploited

May 29, 2026

Actively Exploited

May 29, 2026

Version History

Last enriched 20d ago

v2Tier C20d ago

Updated description with new technical details, changed severity to HIGH, and marked as actively exploited.

descriptionseverityactivelyExploited

via VulDB

v120d ago

Initial creation