CVE-2026-45430 · The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow aga

01 · The Real Story

This is less a front-door smash and more a valet swapping the parking ticket during a rare handoff

CVE-2026-45430 is an OAuth authorization-flow CSRF in the Backdrop CMS Salesforce module: versions earlier than 1.x-1.0.1 do not generate and validate a cryptographically random state value, and the vendor notes the OAuth callback may be reachable by most authenticated users and sometimes anonymous users depending on site configuration. In practice, that means an attacker can try to confuse or bind the authorization callback to the wrong OAuth transaction during Salesforce setup, potentially causing the site to accept attacker-influenced authorization results.

The CNA/NVD-style 7.1 HIGH score is technically defensible in a lab because the bug can affect confidentiality and integrity over the network. In enterprise reality, that overstates the operational risk: the module is niche, the victim population is only Backdrop sites that installed this specific contrib module, exploitation usually depends on catching a privileged user during a Salesforce authorization workflow, and there is no evidence here of mass scanning, KEV inclusion, or public weaponization.

"Real bug, real impact, but this is a niche OAuth CSRF that usually needs an admin in the loop."

02 · The Attack Path

5 steps from start to impact.

STEP 01

Find a site running the vulnerable module

The attacker first needs a Backdrop CMS site that uses the contributed salesforce module and exposes the OAuth callback path. Typical recon is commodity web enumeration plus manual review of Backdrop artifacts; there is no known turnkey internet-scale fingerprint for this exact module in the reviewed sources.

Conditions required:

Target runs Backdrop CMS
salesforce module version is older than 1.x-1.0.1
OAuth callback endpoint is reachable

Where this breaks in practice:

Backdrop itself is a smaller CMS footprint
This is a contrib module, not core, so affected population is much narrower
Public internet census for this exact module is weak; most orgs will need CMDB/SBOM or host-based discovery

Detection/coverage: External scanners may identify Backdrop, but version-level detection for this contrib module is usually host-based or authenticated content inspection.

STEP 02

Prepare a forged OAuth flow

Using a browser, Burp Suite, or a hand-built authorization URL, the attacker prepares a flow that relies on the missing or non-random state parameter. The goal is to make the callback accept an authorization response that is not bound to the victim's original session or intended transaction.

Conditions required:

Attacker can register or control a Salesforce connected app or otherwise drive an OAuth code flow
Vulnerable module does not validate a cryptographically strong state value

Where this breaks in practice:

This is not one-click RCE; the attacker has to understand the product's OAuth flow
The exact abuse path depends on how the site owner configured Salesforce authorization

Detection/coverage: SAST/manual code review catches this class well; commodity DAST often misses it unless the scanner understands OAuth state handling.

STEP 03

Get the right user into the flow

The attacker needs a user who can complete or influence Salesforce authorization for the Backdrop site. That is typically an administrator or delegated operator visiting the authorization page or completing setup while authenticated to the CMS.

Conditions required:

Victim has permission to configure or complete Salesforce authorization
Victim interacts with attacker-controlled content or link

Where this breaks in practice:

Requires user interaction
Often requires catching an admin during initial setup or reauthorization, which is a low-frequency event
Email security, browser protections, training, and MFA all reduce success even if they do not eliminate the bug

Detection/coverage: Look for unusual referrers, suspicious requests around /salesforce/oauth_callback, and authorization attempts outside change windows.

STEP 04

Callback accepts the wrong transaction

Because the module does not properly bind the callback to a cryptographically random state, the OAuth callback can accept a response it should have rejected. If successful, the Backdrop site may store tokens or complete authorization against the wrong Salesforce context.

Conditions required:

Victim reaches the vulnerable callback path
Unpatched module handles the authorization response

Where this breaks in practice:

Real-world success may depend on timing and user workflow
Some deployments may still require existing authenticated session context or specific configuration

Detection/coverage: Application logs and reverse proxy logs can reveal abnormal callback bursts, repeated code parameter exchanges, or authorization from unexpected source IPs.

STEP 05

Abuse the resulting integration

After a successful bind or authorization confusion, the attacker can leverage the Salesforce linkage to influence synced data, expose mapped records, or poison downstream CRM synchronization. The blast radius is usually bounded to whatever entities and fields the module is configured to map, not arbitrary server control.

Conditions required:

Salesforce mappings are configured
Tokens are accepted and stored
Sync jobs or user actions consume the new authorization state

Where this breaks in practice:

Impact is limited to the integration surface, not full CMS or OS takeover
Sites with minimal or read-only mappings have reduced impact

Detection/coverage: Monitor for unexpected token refreshes, changed connected-app relationships, unusual sync jobs, and data movement between Backdrop and unfamiliar Salesforce tenants.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No evidence of active exploitation found in reviewed public sources; not listed in CISA KEV.
KEV status	Not KEV-listed as of the reviewed CISA catalog source.
Proof-of-concept availability	No public PoC located in reviewed searches; no Exploit-DB or obvious GitHub PoC surfaced. Confidence is medium because absence of evidence is not evidence of absence.
EPSS	0.00019 (user-supplied intel). A secondary public tracker reports this as roughly 4th percentile / higher than 4% of CVEs, which is consistent with very low near-term exploitation likelihood.
CVSS vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L` — the important real-world dampeners are high attack complexity and required user interaction.
Affected versions	All Salesforce module versions prior to `1.x-1.0.1` for Backdrop CMS.
Fixed version	`1.x-1.0.1` on the Backdrop project page and GitHub release. No distro backport data found in reviewed sources.
Exposure/scanning data	No decision-grade public internet census found for this exact Backdrop contrib module in reviewed Censys/GreyNoise material. Treat this as inventory-driven exposure, not internet-scan-driven exposure.
Disclosure timeline	Backdrop advisory published 2026-04-29; CVE record/public disclosure shown as 2026-05-12 with update activity on 2026-05-13 in secondary CVE aggregators.
Reporter / coordinator	Reported and fixed by Muhammedali Aliyev with coordination by Jen Lampton of the Backdrop CMS Security Team.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.3/10)

The decisive downgrader is workflow friction: this bug is exploitable over the network, but it usually matters only when a privileged user is actively completing a Salesforce OAuth authorization flow on a niche Backdrop contrib module. That sharply constrains both the reachable population and the probability of successful abuse compared with generic externally reachable web flaws.

HIGH Affected-version boundary at `< 1.x-1.0.1`

MEDIUM Practical attack-chain assessment and likely victim workflow

MEDIUM No-public-PoC / no-active-exploitation conclusion

Why this verdict

Started from 7.1 HIGH: the CNA vector assumes meaningful confidentiality and integrity impact over a network path, and that's fair in a vacuum.
Downgraded for attacker position reality: this is not unauthenticated one-shot server compromise; it generally requires a victim user in the browser and, in practice, usually a user with configuration authority over the Salesforce integration.
Downgraded for exposure population: Backdrop is already a smaller ecosystem, and this is a specific contributed module inside it. That is a compounding population reducer versus mass-target products.
Downgraded for exploitation evidence: no KEV listing, no reviewed public exploitation reports, and an extremely low EPSS score argue against near-term opportunistic abuse.
Stopped at MEDIUM, not LOW: if the attack lands, the impact can be real for mapped CRM data and token binding, especially where the callback is broadly reachable and the integration syncs sensitive objects.

Why not higher?

This is not the kind of bug that turns into internet-wide spray-and-pray compromise. The chain depends on a narrow product population, a vulnerable OAuth workflow, and user interaction at the right moment; those are strong, compounding brakes on operational risk.

Why not lower?

The bug is not harmless hardening. Missing state protection in OAuth is a well-understood security control failure, and the vendor explicitly notes broad callback reachability, so successful abuse can still alter or expose Salesforce-linked data in a meaningful way.

05 · Compensating Control

What to do — in priority order.

Restrict the callback path — Limit access to /salesforce/oauth_callback with reverse-proxy rules, allowlists, or at minimum authenticated-session checks where your architecture permits. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control is worth deploying in the next normal change cycle because it cuts the anonymous attack surface immediately.
Gate Salesforce authorization to admins only — Review Backdrop permissions and any route access controls so only tightly scoped administrators can initiate or complete Salesforce authorization. There is no mitigation SLA for MEDIUM here, but this is a fast permission hardening measure you should complete before the remediation deadline.
Monitor OAuth callback and token events — Alert on unusual hits to the Salesforce callback, repeated authorization attempts, or Salesforce tenant changes outside approved maintenance windows. This does not fix the root cause, but it gives you a chance to catch misuse while you work through the 365-day patch window.
Review mapped objects and secrets exposure — Identify what entities, fields, and sync jobs the module can touch so you know the true blast radius if an authorization mix-up occurred. For MEDIUM there is no mitigation SLA, but scoping the data path now helps validate whether any temporary restrictions are justified before patching.

What doesn't work

WAF signatures alone do not reliably solve OAuth state misuse; the flaw is in transaction binding logic, not a simple payload pattern.
MFA on the CMS account helps the broader account posture but does not repair missing state validation once the victim is already authenticated and tricked into the flow.
Network vulnerability scanning alone is weak here because this contrib module is hard to fingerprint externally and the issue is primarily application-logic based.

06 · Verification

Crowdsourced verification payload.

Run this on the target Backdrop host or against a mounted webroot, not from an auditor workstation. Invoke it as bash check_cve_2026_45430.sh /var/www/backdrop with read access to the code tree; root is not required unless your webroot permissions are locked down.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_45430.sh
# Detects whether the Backdrop CMS Salesforce module is below 1.x-1.0.1.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET="${1:-}"
FIXED="1.0.1"

if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/backdrop-root"
  exit 2
fi

if [[ ! -d "$TARGET" ]]; then
  echo "UNKNOWN - target path does not exist: $TARGET"
  exit 2
fi

candidates=(
  "$TARGET/modules/salesforce/salesforce.info"
  "$TARGET/modules/contrib/salesforce/salesforce.info"
  "$TARGET/sites/all/modules/salesforce/salesforce.info"
  "$TARGET/sites/all/modules/contrib/salesforce/salesforce.info"
  "$TARGET/salesforce/salesforce.info"
)

INFO_FILE=""
for f in "${candidates[@]}"; do
  if [[ -f "$f" ]]; then
    INFO_FILE="$f"
    break
  fi
done

if [[ -z "$INFO_FILE" ]]; then
  INFO_FILE=$(find "$TARGET" -type f -path '*/salesforce/salesforce.info' 2>/dev/null | head -n 1)
fi

if [[ -z "$INFO_FILE" ]]; then
  echo "UNKNOWN - could not locate salesforce.info under $TARGET"
  exit 2
fi

version_line=$(grep -E '^version\s*=\s*"?.+"?$' "$INFO_FILE" 2>/dev/null | head -n 1 || true)
if [[ -z "$version_line" ]]; then
  echo "UNKNOWN - version line not found in $INFO_FILE"
  exit 2
fi

raw_version=$(echo "$version_line" | sed -E 's/^version\s*=\s*"?([^\"]+)"?$/\1/')
# Expected examples: 1.x-1.0.0 , 1.x-1.0.1 , 1.x-1.0.2
release_part=$(echo "$raw_version" | sed -E 's/^.*-([0-9]+\.[0-9]+\.[0-9]+)$/\1/')

if [[ ! "$release_part" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "UNKNOWN - unrecognized version format '$raw_version' in $INFO_FILE"
  exit 2
fi

lowest=$(printf '%s\n%s\n' "$release_part" "$FIXED" | sort -V | head -n 1)

if [[ "$release_part" == "$FIXED" ]]; then
  echo "PATCHED - found Salesforce module version $raw_version in $INFO_FILE"
  exit 0
fi

if [[ "$lowest" == "$release_part" && "$release_part" != "$FIXED" ]]; then
  echo "VULNERABLE - found Salesforce module version $raw_version in $INFO_FILE (fixed: 1.x-1.0.1)"
  exit 1
fi

echo "PATCHED - found Salesforce module version $raw_version in $INFO_FILE"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: use asset inventory to find any Backdrop sites with the salesforce contrib module, verify whether they are below 1.x-1.0.1, and patch them in the normal application maintenance stream. For this MEDIUM reassessment there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; if you want extra insurance, tighten callback exposure and admin-only authorization during the next change window, then complete the vendor update within the noisgate remediation SLA of 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.