PT-2026-28313 · Drupal · Drupal File (Field) Paths

Michael Hess

Published

2026-03-26

Updated

2026-03-26

CVE-2026-1556

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Drupal File (Field) Paths versions prior to 7.1.3

Description An information disclosure issue exists in the file URI processing of File (Field) Paths in Drupal. Authenticated users can potentially disclose other users’ private files through filename-collision uploads. This can occur when consumers of hook node insert()—such as email attachment modules—receive an incorrect file URI, bypassing normal access controls on private files.

Recommendations Update Drupal File (Field) Paths to version 7.1.3 or later.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-1556

Affected Products

Drupal File (Field) Paths

PT-2026-28313 · Drupal · Drupal File (Field) Paths

CVE-2026-1556

Weakness Enumeration

Related Identifiers

Affected Products

References · 7