Skip to main content

Red Hat CVE-2026-1556

| EUVDEUVD-2026-16422 MEDIUM
Information Exposure (CWE-200)
2026-03-26 drupal
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.x-1.3
EUVD ID Assigned
Mar 26, 2026 - 21:31 euvd
EUVD-2026-16422
Analysis Generated
Mar 26, 2026 - 21:31 vuln.today
CVE Published
Mar 26, 2026 - 21:14 nvd
MEDIUM 6.9

DescriptionCVE.org

Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.

AnalysisAI

Drupal File (Field) Paths module 7.x prior to 7.1.3 allows authenticated users to disclose other users' private files through filename-collision uploads that manipulate file URI processing, causing hook_node_insert() consumers such as email attachment modules to access incorrect file URIs and bypass access controls on sensitive files. The vulnerability affects the Drupal File (Field) Paths package as confirmed via CPE cpe:2.3:a:drupal:drupal_file_(field)_paths:*:*:*:*:*:*:*:*. No public exploit code or active exploitation data has been identified at the time of analysis.

Technical ContextAI

Drupal File (Field) Paths is a module that manages file field path generation and URI processing for Drupal 7.x installations. The vulnerability exists in the file URI processing logic when handling field paths, specifically in how the module resolves and assigns file URIs during node insertion operations. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating insufficient access control validation when processing file paths. The vulnerability exploits a filename-collision condition where two authenticated users uploading files with identical or specially-crafted names can trigger URI assignment confusion, causing the system to associate the wrong file URI with a given file operation. This is particularly dangerous because hook_node_insert() implementations-common in email attachment and file processing modules-consume the potentially incorrect file URI without re-validating access permissions against the private file's actual owner.

RemediationAI

Upgrade Drupal File (Field) Paths to version 7.1.3 or later immediately. Consult the official Drupal security advisory and the Tag1 Consulting security advisory (https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation) for detailed patching instructions specific to your Drupal 7.x deployment. As an interim mitigation pending patch deployment, restrict file upload permissions to trusted user roles only and audit any hook_node_insert() implementations or email attachment modules for additional access control validation to ensure they verify file ownership before processing URIs. Monitor file upload logs for suspicious filename-collision patterns or rapid successive uploads from different users with identical filenames.

Vendor StatusVendor

Share

CVE-2026-1556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy