Platform
drupal
Component
drupal
Fixed in
10.2.11
10.3.9
11.0.8
10.2.11
10.2.11
10.2.11
CVE-2024-55634 is a vulnerability in Drupal Core that affects versions up to 9.5.9. It stems from inconsistent uniqueness checks for user email addresses, depending on the database engine and collation used. This inconsistency can allow multiple users to register with the same email address, leading to potential data integrity problems within the Drupal site.
The primary impact of CVE-2024-55634 is the potential for data integrity issues. Allowing duplicate email addresses can lead to confusion among users, incorrect account assignments, and difficulties in communication. Attackers could exploit this to create fake accounts impersonating legitimate users, potentially for malicious purposes such as spreading misinformation or gaining unauthorized access to sensitive data. While not a direct RCE, the compromised data integrity could be a stepping stone for further attacks if combined with other vulnerabilities.
This vulnerability was publicly disclosed on December 10, 2024. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The likelihood of exploitation is considered low to medium, depending on the prevalence of vulnerable Drupal installations and the attacker's motivation.
Exploit Status
EPSS
0.85% (75% percentile)
The recommended mitigation for CVE-2024-55634 is to upgrade Drupal Core to version 10.2.11 or later. This version includes the fix for the inconsistent uniqueness checking logic. If an immediate upgrade is not feasible, consider implementing stricter email verification processes during user registration to help detect and prevent duplicate registrations. While not a complete solution, this can reduce the risk until the upgrade can be performed. After upgrade, confirm by attempting to register two accounts with the same email address; the system should prevent the second registration.
Update Drupal Core to the latest available version. For versions 8.x to 10.2.x, update to version 10.2.11 or higher. For versions 10.3.x, update to version 10.3.9 or higher. For versions 11.0.x, update to version 11.0.8 or higher.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55634 is a vulnerability in Drupal Core allowing users to register with duplicate email addresses due to inconsistent uniqueness checks, potentially compromising data integrity. It affects versions ≤9.5.9.
Yes, if you are using Drupal Core versions 8.0.0 through 9.5.9, you are potentially affected by this vulnerability. Upgrade to 10.2.11 or later to mitigate the risk.
The recommended fix is to upgrade Drupal Core to version 10.2.11 or later. Implement stricter email verification processes as a temporary workaround if immediate upgrade is not possible.
As of December 2024, there are no known public exploits or active campaigns targeting CVE-2024-55634, but vigilance is still advised.
Refer to the official Drupal security advisory for detailed information and updates: https://www.drupal.org/security/advisories/cve-2024-55634
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.