CVE-2026-3526

CVE-2026-3526: File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

Vendor Drupal

Product File Access Fix (deprecated)

Weakness CWE-863 · Incorrect authorization

Published March 26, 2026

Last update March 27, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

The File Access Fix module for Drupal contains an authorization flaw that allows users to access files or perform actions they should not be permitted to. The vulnerability affects versions before 1.2.0. Site administrators should update to version 1.2.0 or later to resolve the issue. The module is deprecated and users should consider migrating to maintained alternatives.

What an attacker can do

03Attacker Capabilities

Access or modify files or perform actions beyond their assigned permissions.

Potential impact on your site

04Site Impact

Unauthorized users may access sensitive files or perform unintended actions on your site.

Conditions required to exploit

05Prerequisites

Attacker must have some level of access to the Drupal site; specific requirements unknown.

Key dates

06Disclosure timeline

March 26, 2026 CVE published

March 27, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3526

Related vulnerabilities