By weakness (CWE)
CWE-267: related vulnerabilities
CVEs classified under CWE-267. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
1 published vulnerability
- CVE-2026-6816LOW 3.8
Drupal's TFA Basic Plugins module contains a flaw that allows administrators with user management permissions to access or create recovery codes intended for other users. This bypasses the expected access controls around two-factor authentication recovery mechanisms. The vulnerability is restricted to versions 7.x-1.0 through 7.x-1.2, and exploitation requires administrative privileges, limiting its immediate threat to environments where admin accounts are already compromised or where trust boundaries have been violated.