Skip to main content

File Access Fix Deprecated CVE-2026-3526

| EUVDEUVD-2026-16377 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 drupal
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16377
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:02 nvd
MEDIUM 5.3

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

AnalysisAI

Forceful browsing attacks in Drupal File Access Fix (deprecated) versions below 1.2.0 allow unauthenticated remote attackers to bypass file access controls and retrieve unauthorized files through direct path enumeration. The vulnerability stems from incorrect authorization validation in the deprecated module (cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*), affecting all versions from 0.0.0 through 1.1.x. No public exploit code or active exploitation has been identified at time of analysis, but the deprecated status and widespread use of Drupal installations increase real-world risk exposure.

Technical ContextAI

The File Access Fix module for Drupal is designed to enforce access control policies on file downloads and direct file access. The vulnerability exists in CWE-863 (Incorrect Authorization), which manifests as insufficient validation of user permissions before granting access to protected files. When a user or unauthenticated attacker directly requests a file path (forceful browsing), the module fails to properly verify that the requester has explicit authorization to view that specific file. This allows attackers to circumvent the intended access control logic by guessing or enumerating file paths, potentially exposing sensitive documents, user uploads, or configuration files. The root cause is inadequate permission checks at the file retrieval endpoint rather than a broken authentication mechanism; the system simply does not validate 'can this user access this resource' before serving it.

RemediationAI

Upgrade Drupal File Access Fix (deprecated) to version 1.2.0 or later as described in the vendor security advisory at https://www.drupal.org/sa-contrib-2026-021. If immediate patching is not feasible, disable or uninstall the deprecated module entirely, since it is no longer maintained and modern Drupal core provides superior file access controls natively. As a temporary mitigation, restrict direct file access via web server configuration (e.g., deny direct HTTP access to /sites/default/files paths in .htaccess or nginx configuration) and enforce authentication at the reverse proxy layer for sensitive file directories. Review access logs for evidence of forceful browsing attempts (repeated 404/403 responses to sequential or guessed file paths). Organizations using newer Drupal versions should assess whether this deprecated module is still necessary or can be replaced with core file handling.

Share

CVE-2026-3526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy