The vulnerability allows hacker to compromise any accounts including Admin account.
There is another security vulnerability "Access bypass " estimated as moderately critical can be exploited by an attacker to access unpublished content.
These vulnerabilities have been patched in the latest version of Drupal 6.30 and 7.26. The latest versions don't have any new features but users are advised to upgrade.
"[The first] vulnerability is mitigated by the fact that the malicious user must have an account on the site (or be able to create one), and the victim must have an account with one or more associated OpenID identities." security advisory reads.