Registration role – Critical – Access bypass – SA-CONTRIB-2024-015

Drupal Security Advisory

Access bypass
Affected versions: 

The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.

The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).

This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.


Install the latest version:

Review user accounts registered between 2023 July 11 and now for having additional roles you did not intend for them to have. If your site missed or reverted an update to configuration in the version 2.0.0 release of Registration Role (or development branch from 2020 August 17 on), non-selected roles were not removed from configuration. Without this update, up until you re-saved the settings form or until you install the new release – whichever came first – users who registered receive all roles.

Also, upgrade to the latest version and run update hooks at update.php or with Drush, drush updb

OR: Immediately re-save the the configuration page at /admin/people/registration-role

Fixed By: 
Coordinated By: