CVE-2025-10928: Drupal Access code allows Brute Force Attempts

The vulnerability is an improper restriction of excessive authentication attempts in the Drupal Access Code module, allowing for brute-force attacks. The analysis of the security advisory and the associated patch indicates that the vulnerability lies within the AccessCodeLoginForm. The patch for CVE-2025-10928 introduces flood control to the login form validation process.

The key vulnerable function is Drupal\access_code\Form\AccessCodeLoginForm::validateForm. This function handles the validation of the user-submitted access code. Prior to the patch, it lacked any mechanism to prevent an attacker from making an unlimited number of login attempts. This would allow an attacker to brute-force access codes.

The fix involves injecting the FloodInterface service and using it within the validateForm function to track and limit failed login attempts per IP address. Specifically, the isAllowed method is called to check if a new attempt is permitted, and the register method is used to record a failed attempt. This effectively mitigates the brute-force vulnerability.

While the Drupal security advisory SA-CONTRIB-2025-108 also mentions an access bypass/enumeration vulnerability, the patch and the CVE description clearly point to a brute-force issue. This analysis focuses on the evidence from the code changes, which address the lack of rate limiting.