Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
AnalysisAI
Forceful browsing attacks in Drupal File Access Fix (deprecated) versions below 1.2.0 allow unauthenticated remote attackers to bypass file access controls and retrieve unauthorized files through direct path enumeration. The vulnerability stems from incorrect authorization validation in the deprecated module (cpe:2.3:a:drupal:file_access_fix_(deprecated):*:*:*:*:*:*:*:*), affecting all versions from 0.0.0 through 1.1.x. No public exploit code or active exploitation has been identified at time of analysis, but the deprecated status and widespread use of Drupal installations increase real-world risk exposure.
Technical ContextAI
The File Access Fix module for Drupal is designed to enforce access control policies on file downloads and direct file access. The vulnerability exists in CWE-863 (Incorrect Authorization), which manifests as insufficient validation of user permissions before granting access to protected files. When a user or unauthenticated attacker directly requests a file path (forceful browsing), the module fails to properly verify that the requester has explicit authorization to view that specific file. This allows attackers to circumvent the intended access control logic by guessing or enumerating file paths, potentially exposing sensitive documents, user uploads, or configuration files. The root cause is inadequate permission checks at the file retrieval endpoint rather than a broken authentication mechanism; the system simply does not validate 'can this user access this resource' before serving it.
RemediationAI
Upgrade Drupal File Access Fix (deprecated) to version 1.2.0 or later as described in the vendor security advisory at https://www.drupal.org/sa-contrib-2026-021. If immediate patching is not feasible, disable or uninstall the deprecated module entirely, since it is no longer maintained and modern Drupal core provides superior file access controls natively. As a temporary mitigation, restrict direct file access via web server configuration (e.g., deny direct HTTP access to /sites/default/files paths in .htaccess or nginx configuration) and enforce authentication at the reverse proxy layer for sensitive file directories. Review access logs for evidence of forceful browsing attempts (repeated 404/403 responses to sequential or guessed file paths). Organizations using newer Drupal versions should assess whether this deprecated module is still necessary or can be replaced with core file handling.
More in File Access Fix Deprecated
View allSame weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16377