{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3525", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:52.841Z", "datePublished": "2026-03-26T20:02:25.154Z", "dateUpdated": "2026-03-26T20:02:25.154Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:02:25.154Z"}, "title": "File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020", "datePublic": "2026-03-04T17:54:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Drupal", "product": "File Access Fix (deprecated)", "collectionURL": "https://www.drupal.org/project/file_access_fix", "repo": "https://git.drupalcode.org/project/file_access_fix", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.<p>This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-020"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Merlin Axel Rutz (geek-merlin)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0."}], "id": "CVE-2026-3525", "lastModified": "2026-03-26T21:17:08.437", "metrics": {}, "published": "2026-03-26T21:17:08.437", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-020"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "File Access Fix (deprecated)", "source": "cna", "vendor": "Drupal"}, "product": "file_access_fix_(deprecated)", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:38:37.527078+00:00", "value": {"mitigation_remediation": ["Verify the current version of the Drupal File Access Fix (deprecated) module in your installation.", "Update the module to version 1.2.0 or newer, following the guidance in Drupal Security Advisory SA-CONTRIB-2026-020.", "If an upgrade is not possible, disable or remove the deprecated File Access Fix module and consider an alternative file access solution."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal File Access Fix (deprecated) module in all versions from the initial release 0.0.0 up to but not including 1.2.0. Users who have installed this module within that version range are at risk. No additional vendors or products are reported as affected.", "description_and_impact": "An incorrect authorization flaw in the Drupal File Access Fix (deprecated) module enables forceful browsing, allowing an attacker to request and retrieve files that the system otherwise would deny. The weakness is an access control bypass, classified as CWE-863. Consequently, attackers could gain unauthorized access to sensitive files or system configuration data, threatening confidentiality and integrity.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS data is unavailable, but the issue carries a moderately critical rating in Drupal\u2019s advisory, indicating significant risk. Because the flaw stems from an authorization check, the likely exploitation vector is web-based: an attacker simply requests the protected file URLs. No elevated privileges are required for exploitation. Though the vulnerability is not listed in CISA\u2019s KEV catalog, its presence in a widely deployed module warrants prompt action."}}}}, "created": "2026-03-27T08:32:19.008448+00:00", "updated": "2026-03-27T09:25:15.792944+00:00", "vendors": ["drupal", "drupal$PRODUCT$file_access_fix_(deprecated)"]}