Salesforce - Critical - CSRF - BACKDROP-SA-CONTRIB-2026-016

Date:

Wednesday, Apr 29th, 2026

Advisory ID:

BACKDROP-SA-CONTRIB-2026-001

Security risk:

Critical

Vulnerability:

Cross Site Request Forgery

Versions affected:

All Salesforce versions prior to 1.x-1.0.1

Description:

This module suite implements a mapping functionality between Salesforce objects and Backdrop entities

This module does not generate or validate a cryptographically random `state` parameter to protect the authorization flow against CSRF attacks.

Additionally, the OAuth callback is accessible to most authenticated and potentially anonymous users depending on site configuration.

A CVE has been requested, and this page will be updated as soon as an official number has been issued.

Solution:

Upgrade your site to use the most recent version of the Salesforce module. Download available on the Salesforce project page.

Reported By:

Muhammedali Aliyev

Fixed By:

Coordinated By:

Jen Lampton of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Security Advisories

The list below includes the latest advisories for both Backdrop core and any project in the contributed repository. See the entire list of all advisories.