PT-2026-23109 · Drupal+2 · File Access Fix+1
Damien Mckenna
+3
·
Published
2026-03-04
·
Updated
2026-03-26
·
CVE-2026-3526
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal File Access Fix (deprecated) versions prior to 1.2.0
Description
The File Access Fix module (deprecated) contains an authorization flaw that could allow forceful browsing of files. The module manages file storage based on entity access permissions, but it does not consistently validate access logic. This can lead to files attached to entities not being properly protected in some cases. The issue is resolved by saving the entity a second time.
Recommendations
Update to version 1.2.0 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
File Access Fix
Drupal/File Access Fix