Drupal TFA Basic Plugins < 1.2 Access Bypass via Admin Users
CVE-2026-6816 Published on May 28, 2026

TFA Basic Plugins - Access Bypass
An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2.

NVD

Weakness Type

Privilege Defined With Unsafe Actions

A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.

Affected Versions

Drupal TFA Basic Plugins:

Version 7.x-1.0, <= 7.x-1.2 is affected.

Exploit Probability

EPSS

0.29%

Percentile

20.17%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Drupal TFA Basic Plugins < 1.2 Access Bypass via Admin UsersCVE-2026-6816 Published on May 28, 2026

Weakness Type

Privilege Defined With Unsafe Actions

Affected Versions

Exploit Probability

Drupal TFA Basic Plugins < 1.2 Access Bypass via Admin Users
CVE-2026-6816 Published on May 28, 2026