Description
Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from an insufficient authorization check in Drupal’s File Access Fix module, allowing forced browsing of files. Attackers can request arbitrary files that the site should protect, potentially exposing configuration data, source code, or other sensitive content. The weakness is catalogued as CWE‑863, reflecting a failure to enforce proper authorization.

Affected Systems

The issue affects Drupal sites that have the File Access Fix module installed in any release preceding version 1.2.0, including all releases from 0.0.0 through 1.1.x. The module is marked as deprecated, but any system still running these versions remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation likelihood; it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the exploit can be carried out remotely via HTTP requests to the Drupal site, requiring no special privileges beyond being able to reach the affected module through the web interface.

Generated by OpenCVE AI on April 1, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the File Access Fix module to version 1.2.0 or later.
  • If an upgrade is not possible, disable or uninstall the module immediately.
  • Verify that the module is no longer active on the site.
  • Test that restricted files are no longer publicly accessible.
  • Keep Drupal core and all modules regularly updated to avoid similar issues.

Generated by OpenCVE AI on April 1, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-021 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Geeks4change
Geeks4change file Access Fix
CPEs cpe:2.3:a:geeks4change:file_access_fix:*:*:*:*:*:drupal:*:*
Vendors & Products Geeks4change
Geeks4change file Access Fix

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal file Access Fix (deprecated)
Vendors & Products Drupal
Drupal file Access Fix (deprecated)

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.
Title File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Weaknesses CWE-863
References

Subscriptions

Drupal File Access Fix (deprecated)
Geeks4change File Access Fix
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T18:17:51.547Z

Reserved: 2026-03-04T16:41:54.347Z

Link: CVE-2026-3526

cve-icon Vulnrichment

Updated: 2026-03-27T18:16:47.815Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.600

Modified: 2026-03-31T20:33:47.987

Link: CVE-2026-3526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:30Z

Weaknesses