Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
AnalysisAI
Drupal File (Field) Paths module 7.x prior to 7.1.3 allows authenticated users to disclose other users' private files through filename-collision uploads that manipulate file URI processing, causing hook_node_insert() consumers such as email attachment modules to access incorrect file URIs and bypass access controls on sensitive files. The vulnerability affects the Drupal File (Field) Paths package as confirmed via CPE cpe:2.3:a:drupal:drupal_file_(field)_paths:*:*:*:*:*:*:*:*. No public exploit code or active exploitation data has been identified at the time of analysis.
Technical ContextAI
Drupal File (Field) Paths is a module that manages file field path generation and URI processing for Drupal 7.x installations. The vulnerability exists in the file URI processing logic when handling field paths, specifically in how the module resolves and assigns file URIs during node insertion operations. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating insufficient access control validation when processing file paths. The vulnerability exploits a filename-collision condition where two authenticated users uploading files with identical or specially-crafted names can trigger URI assignment confusion, causing the system to associate the wrong file URI with a given file operation. This is particularly dangerous because hook_node_insert() implementations-common in email attachment and file processing modules-consume the potentially incorrect file URI without re-validating access permissions against the private file's actual owner.
RemediationAI
Upgrade Drupal File (Field) Paths to version 7.1.3 or later immediately. Consult the official Drupal security advisory and the Tag1 Consulting security advisory (https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation) for detailed patching instructions specific to your Drupal 7.x deployment. As an interim mitigation pending patch deployment, restrict file upload permissions to trusted user roles only and audit any hook_node_insert() implementations or email attachment modules for additional access control validation to ensure they verify file ownership before processing URIs. Monitor file upload logs for suspicious filename-collision patterns or rapid successive uploads from different users with identical filenames.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16422