Description
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access via forceful browsing
Action: Disable Module
AI Analysis

Impact

An incorrect authorization check in the File Access Fix (deprecated) module allows attackers to perform a forceful browsing attack, enabling them to retrieve files that should be protected. This flaw is classified as a CWE-863 vulnerability and carries a CVSS score of 5.3, indicating a moderate impact on confidentiality.

Affected Systems

Drupal sites that have installed the File Access Fix (deprecated) module with any version from 0.0.0 through 1.1.9 are affected. The vulnerability is specific to that module within the Drupal ecosystem and therefore only those sites using it are at risk.

Risk and Exploitability

The moderate CVSS rating and EPSS score below 1 % suggest that exploitation is unlikely at a large scale. Because the description does not mention the need for authentication or special privileges, it is inferred that the attack can be carried out by sending crafted HTTP requests to protected file URLs from the public internet. The flaw is not listed in the CISA KEV catalog, further indicating low current exploitation activity.

Generated by OpenCVE AI on April 1, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the File Access Fix (deprecated) module from the Drupal installation.
  • If the functionality is required, replace it with a maintained alternative or upgrade to a version where the issue is resolved.
  • Set file permissions on the web server so that confidential files cannot be served directly to unauthenticated users.
  • Review server and application logs for unusual file access patterns to detect potential abuse.

Generated by OpenCVE AI on April 1, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-020 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Geeks4change
Geeks4change file Access Fix
CPEs cpe:2.3:a:geeks4change:file_access_fix:*:*:*:*:*:drupal:*:*
Vendors & Products Geeks4change
Geeks4change file Access Fix

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal file Access Fix (deprecated)
Vendors & Products Drupal
Drupal file Access Fix (deprecated)

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Title File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Weaknesses CWE-863
References

Subscriptions

Drupal File Access Fix (deprecated)
Geeks4change File Access Fix
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T18:48:21.916Z

Reserved: 2026-03-04T16:41:52.841Z

Link: CVE-2026-3525

cve-icon Vulnrichment

Updated: 2026-03-27T18:46:12.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.437

Modified: 2026-03-31T20:24:46.427

Link: CVE-2026-3525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:31Z

Weaknesses