Description
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Published: 2026-03-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Authenticated users can upload files with names that collide with existing private file names, causing the system to overwrite or expose the private file URI. This flaw allows the attacker to obtain the contents of another user’s private files, violating confidentiality and bypassing normal access controls on private resources. The weakness is a file name collision in the file URI processing logic, leading to inadequate checks before exposure.

Affected Systems

Drupal systems running the File (Field) Paths module before version 7.1.3 are affected. The vulnerability exists in Drupal 7.x, specifically in the File (Field) Paths component shipped with versions older than 7.1.3.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to trigger the collision; the attack vector is a standard file upload via authenticated users. Once executed, it can expose private files without further interaction, but does not provide privilege escalation or code execution.

Generated by OpenCVE AI on April 2, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Drupal to version 7.1.3 or later
  • Restrict file upload permissions for authenticated users to prevent filename collisions
  • Monitor file upload logs for unusual activity and potential collisions
  • Consult Drupal security advisories for additional protection measures

Generated by OpenCVE AI on April 2, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Deciphered
Deciphered filefield Paths
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:deciphered:filefield_paths:*:*:*:*:*:drupal:*:*
Vendors & Products Deciphered
Deciphered filefield Paths
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Sat, 28 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal drupal File Paths
Vendors & Products Drupal
Drupal drupal File Paths

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-73
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Important

Thu, 26 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Title Information disclosure via file URI overwrite in File (Field) Paths
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Deciphered Filefield Paths
Drupal Drupal File Paths
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T19:39:20.961Z

Reserved: 2026-01-28T17:20:34.800Z

Link: CVE-2026-1556

cve-icon Vulnrichment

Updated: 2026-03-27T19:30:48.890Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T22:16:27.843

Modified: 2026-04-02T20:33:54.250

Link: CVE-2026-1556

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T21:14:20Z

Links: CVE-2026-1556 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:48Z

Weaknesses