Skip to main content

File Access Fix Deprecated CVE-2026-3525

| EUVDEUVD-2026-16375 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 drupal
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16375
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:02 nvd
MEDIUM 5.3

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

AnalysisAI

Forceful browsing via incorrect authorization in Drupal File Access Fix (deprecated) module versions prior to 1.2.0 allows unauthenticated remote attackers to access files without proper access control checks. The vulnerability stems from CWE-863 (Incorrect Authorization) and affects all versions from 0.0.0 through 1.2.0. No public exploit code or active exploitation has been confirmed at the time of analysis, but the straightforward nature of authorization bypass attacks in file access contexts presents moderate real-world risk to installations still running deprecated versions of this module.

Technical ContextAI

The File Access Fix (deprecated) module for Drupal (CPE: cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*) is designed to control access to files within Drupal installations. The vulnerability is rooted in CWE-863 (Incorrect Authorization), which describes failures to enforce access control policies before allowing users to interact with resources. In this case, the module's authorization logic fails to properly validate whether a requesting user should be permitted to access specific files, enabling attackers to enumerate and retrieve files through forceful browsing (also known as directory traversal or path enumeration attacks). The deprecated status of this module indicates it is no longer actively maintained by the Drupal security team, increasing the likelihood that affected installations may not receive timely updates.

RemediationAI

Upgrade File Access Fix (deprecated) to version 1.2.0 or later by applying the patch referenced in the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-020. For deployments unable to patch immediately, the strongest remediation is to disable or uninstall the deprecated module entirely and migrate to a maintained file access control solution within Drupal's current ecosystem. Network-level controls should restrict file access endpoints to trusted client IP ranges and enforce authentication requirements at the web server layer (via HTTP Basic Auth or reverse proxy rules) until patching is completed. Given the deprecated status of this module, complete removal and replacement with a supported alternative is strongly recommended over indefinite reliance on patches.

Share

CVE-2026-3525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy