Affected versions: v2.3.*
Resolving versions: v126.96.36.199
This Security Advisory is about a vulnerability in GraphQL authentication. GraphQL allows you to configure alternative user checkers (login handlers), but these are not recognized on login, the standard handler is always used. This means that for example login by email will not work, even if the handler for this is enabled. It also means that login by username will work, even if this is disabled. This constitutes a risk when this behaviour is unexpected and unwanted. The fix ensures that the configured user checker is used.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/