{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1556", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-01-28T17:20:34.800Z", "datePublished": "2026-03-26T21:14:20.549Z", "dateUpdated": "2026-03-26T21:14:20.549Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T21:14:20.549Z"}, "title": "Information disclosure via file URI overwrite in File (Field) Paths", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-17", "descriptions": [{"lang": "en", "value": "CAPEC-17 Using Malicious Files"}]}], "affected": [{"vendor": "Drupal", "product": "Drupal File (Field) Paths", "platforms": ["Drupal 7.x"], "collectionURL": "https://www.drupal.org/project/filefield_paths", "packageName": "File (Field) Paths", "repo": "http://git.drupalcode.org/project/filefield_paths", "versions": [{"status": "affected", "version": "7.x-1.0", "lessThan": "7.x-1.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."}]}], "references": [{"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556", "tags": ["third-party-advisory"]}, {"url": "https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Michael Hess (mlhess)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users\u2019 private files via filename\u2011collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files."}], "id": "CVE-2026-1556", "lastModified": "2026-03-26T22:16:27.843", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mlhess@drupal.org", "type": "Secondary"}]}, "published": "2026-03-26T22:16:27.843", "references": [{"source": "mlhess@drupal.org", "url": "https://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation"}, {"source": "mlhess@drupal.org", "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-1556"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Drupal: File (Field) Paths: Drupal File (Field) Paths: Information Disclosure via filename-collision uploads", "id": "2451981", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451981"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-73", "details": ["A flaw was found in Drupal File (Field) Paths. This information disclosure vulnerability allows authenticated users to disclose other users\u2019 private files. This can be exploited by performing filename-collision uploads, which causes the system to receive incorrect file Uniform Resource Identifiers (URIs), thereby bypassing normal access controls on private files."], "name": "CVE-2026-1556", "public_date": "2026-03-26T21:14:20Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1556\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1556\nhttps://d7es.tag1.com/security-advisories/file-field-paths-moderately-critical-file-path-manipulation\nhttps://www.herodevs.com/vulnerability-directory/cve-2026-1556"], "statement": "This information disclosure vulnerability in Drupal File (Field) Paths allows authenticated users to access private files belonging to other users. The flaw arises from filename-collision uploads, which can cause the system to process incorrect file URIs and bypass normal access controls on private files within Drupal 7.x installations utilizing the affected module.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["drupal_7.x"], "status": "affected", "versions": {"scheme": "generic", "value": "[7.x-1.0,7.x-1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Drupal File (Field) Paths", "source": "cna", "vendor": "Drupal"}, "product": "drupal_file_paths", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T06:29:22.837527+00:00", "value": {"mitigation_remediation": ["Apply the Drupal 7.1.3 release or later that contains the fix for File (Field) Paths.", "Restrict file upload permissions to trusted users, limiting who can add files to the system.", "Verify that filename collisions no longer expose private file URIs by testing uploads after the update.", "Consult the vendor advisories linked in the references for any additional environmental considerations."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure"}, "threat_synthesis": {"affected_systems": "Drupal File (Field) Paths is affected in all Drupal 7.x releases before 7.1.3. The vulnerability applies across all environments where the module is enabled and where users possess upload permissions. No specific operating system or server platform is required; the issue is tied to the Drupal code base itself.", "description_and_impact": "An authenticated user in Drupal 7.x can upload a file that overwrites the URI of an existing private file, causing the system to expose the private file to the uploader. The flaw resides in the file URI processing of File (Field) Paths when filename collisions occur. The result is unauthorized disclosure of private user content, violating confidentiality. This weakness maps to CWE\u2011200 Information Exposure and CWE\u201173 Relative Path Traversal.", "risk_and_exploitability": "The CVSS base score is 6.9, indicating a moderate severity. Exploitability is limited to authenticated users with permission to upload files, meaning an attacker must first gain legitimate access to the site. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known public exploit yet. Nevertheless, because it enables exposure of private files, administrators should treat it as a non\u2011trivial risk, especially on sites handling sensitive content."}}}}, "created": "2026-03-27T08:31:46.592391+00:00", "updated": "2026-03-27T09:23:13.453606+00:00", "vendors": ["drupal", "drupal$PRODUCT$drupal_file_paths"]}