PT-2026-23108 · Drupal+2 · File Access Fix+1
Greg Knaddison
+2
·
Published
2026-03-04
·
Updated
2026-03-26
·
CVE-2026-3525
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal File Access Fix (deprecated) versions prior to 1.2.0
Description
The File Access Fix module (deprecated) has an authorization issue that allows for forceful browsing. The module manages file access, moving files between public and private storage based on entity access. The issue arises because the module does not properly integrate with the
hook file download hook when implemented by custom or contributed modules, leading to potential access bypass.Recommendations
Update to File Access Fix version 1.2.0 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Access Fix
Drupal/File Access Fix