The user module in Drupal 5.x before 5.11 and 6.x before 6.5 might allow remote authenticated users to bypass intended login access rules and successfully login via unknown vectors.