Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
AnalysisAI
Forceful browsing via incorrect authorization in Drupal File Access Fix (deprecated) module versions prior to 1.2.0 allows unauthenticated remote attackers to access files without proper access control checks. The vulnerability stems from CWE-863 (Incorrect Authorization) and affects all versions from 0.0.0 through 1.2.0. No public exploit code or active exploitation has been confirmed at the time of analysis, but the straightforward nature of authorization bypass attacks in file access contexts presents moderate real-world risk to installations still running deprecated versions of this module.
Technical ContextAI
The File Access Fix (deprecated) module for Drupal (CPE: cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*) is designed to control access to files within Drupal installations. The vulnerability is rooted in CWE-863 (Incorrect Authorization), which describes failures to enforce access control policies before allowing users to interact with resources. In this case, the module's authorization logic fails to properly validate whether a requesting user should be permitted to access specific files, enabling attackers to enumerate and retrieve files through forceful browsing (also known as directory traversal or path enumeration attacks). The deprecated status of this module indicates it is no longer actively maintained by the Drupal security team, increasing the likelihood that affected installations may not receive timely updates.
RemediationAI
Upgrade File Access Fix (deprecated) to version 1.2.0 or later by applying the patch referenced in the Drupal security advisory at https://www.drupal.org/sa-contrib-2026-020. For deployments unable to patch immediately, the strongest remediation is to disable or uninstall the deprecated module entirely and migrate to a maintained file access control solution within Drupal's current ecosystem. Network-level controls should restrict file access endpoints to trusted client IP ranges and enforce authentication requirements at the web server layer (via HTTP Basic Auth or reverse proxy rules) until patching is completed. Given the deprecated status of this module, complete removal and replacement with a supported alternative is strongly recommended over indefinite reliance on patches.
More in File Access Fix Deprecated
View allSame weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16375